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About This Guide 


This guide describes how to install, configure, and use the Novell® Nsure™ 
Identity Manager Driver for MVS RACF. 


This guide contains the following sections: 


+ 


+ 


+ 


+ 


+ 


Chapter 1, “MVS RACF Driver Overview,” on page 13 


Chapter 2, “Installing the Novell Nsure Identity Manager Driver for MVS 
RACF,” on page 37 


Chapter 3, “Customizing the Driver,” on page 67 

Chapter 4, “Operating Procedures,” on page 77 

Chapter 5, “Troubleshooting,” on page 81 

Appendix A, “MVS RACF Schema and Driver Processing,” on page 89 
Appendix B, “Messages,” on page 135 
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Required Knowledge and Skills 


Use of this guide requires expertise with eDirectory™, iManager, DirXML®, 
MVS, RACF, and XSLT. 


To successfully plan for and deploy this driver, you must also have a complete 
understanding of the technical and business standards, conventions, processes, 
practices, and procedures used by the local installation. 


Installing, configuring, and operating this driver requires MVS system 
programming skills; and administrative skills for eDirectory, DirXML, and 
the OS platform where eDirectory and DirXML are installed. Customizing 
this driver to run in a production environment requires Policy Builder 
expertise and XSLT programming skills. 


Additional Documentation 


For documentation about eDirectory, iManager, and DirXML (Nsure Identity 
Manager), see the Novell eDirectory Product Documentation Web site (http:/ 
/www.novell.com/documentation/eDirectory.html). 


For documentation about MVS and RACF, see your IBM* system 
programming library. Many z/OS* manuals are available to IBM customers 
online at the IBM z/OS Internet Library Web site (http://www.ibm.com/ 
servers/eserver/zseries/zos/bkserv). 


There are many sources of information about XSLT. One excellent source is 
XSLT Programmer 5 Reference by Michael Kav. 


Documentation Updates 


For the most recent versions of Novell Nsure Identity Manager Driver for 
MVS RACF documentation, see the Novell DirXML Drivers Web Site (http:/ 
/www.novell.com/documentation/lg/dirxmldrivers/index.html). 


Configuration Procedure Documentation 


This book includes examples describing how to perform a given configuration 
task using iManager. These examples are written for iManager 2.0.2. If you 
use a different version of iManager, you might have to adjust your procedures 
accordingly. 
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Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions 
within a step, and items within a cross-reference path. 


A trademark symbol ©. ™, etc.) denotes a Novell trademark. An asterisk (*) 
denotes a third-party trademark. 


User Comments 


We want to hear your comments and suggestions about this manual and the 
other documentation included with Novell Nsure Identity Manager Driver for 
MVS RACE. To contact us, send e-mail to namdoc@novell.com. 
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MVS RACF Driver Overview 


The Novell® Nsure™ Identity Manager Driver for MVS RACF synchronizes 
user and group data between Novell eDirectory™ and RACF. The driver uses 
Nsure Identity Manager, which is powered by DirXML®, to communicate 
with eDirectory. 


The driver gives you access to RACF user and group attributes through the 
MVS RACF schema. The driver also allows you to issue arbitrary TSO 
commands on the MVS system. DirXML gives you access to eDirectory 
objects and their attributes. 


This section includes the following topics to provide an understanding of how 
the driver works: 


e “Component Introduction” on page 14 
+ “Component Details” on page 14 
+ “Differences between eDirectory and RACF' on page 19 


e “Processing Description” on page 21 
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Component Introduction 


A DirXML driver package includes 


+ The DirXML driver shim: The driver shim serves as an interface 
between the DirXML engine and the application. The DirXML driver 
shim contains two channels: the Subscriber channel and the Publisher 
channel. 


+ A starter set of sample policies and filters: Policies and filters are used 
by the DirXML engine to control the bidirectional flow of data between 
eDirectory and the driver shim. 


The MVS RACF driver includes these components. The MVS RACF driver 
package also includes the RACF Event Subsystem. The RACF Event 
Subsystem captures RACF events of interest, and provides the application 
interface to the Publisher and Subscriber channels. 


Component Details 


This topic describes the components of the MVS RACF driver package. 


+ 'RACF Event Subsystem” on page 15 


+ 


+ 


+ 


+ 


+ 


+ 


“RACF Exits” on page 16 

“Cross Memory Queue” on page 16 
“Change Log Started Task” on page 16 
“Change Log Data Set” on page 16 
“LDXSERV TSO Command” on page 17 
“LDXISSUE TSO Command” on page 17 


¢ “Publisher Channel” on page 18 


e “Subscriber Channel” on page 18 


e “The MVS RACF Schema” on page 18 


+ “Auxiliary Classes” on page 18 


+ “Configuration” on page 19 
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Component Overview 


Figure 1 


H i 
iB | 
ne — > 
10 i 
pao 
POSTS ee eee 
Mietet : i 
Ta eat 
G i H 
Pa ' i 
SgS oe 
u Egg ot 
OERO H i 
< oun i ' 
woods H l 
rrrrTrTrrrttirrrittrittt TTT i ' 
i 
ae ei Dane eet 
Sent E array o£ kl 
i os : i 
' HE i ' 
Ep ' 25 oe) 
Os 5 = o emt dr ie 
pre Ta oO l Brats ' i Z l ETA i 
105 a 2 i H Saarinen niece ae i 
i285 |2 5 toO E f o ee TE: 
'655 |S D ' 1% ' i ee rN; 
Wall l 6 ' v i 
ji fu 2 ' Do |} 78 Ha et 
riot E] m I — c. E ct $ 
' OS WP) $ i ' i me costs E i i 
1c SX i i : ' EWFRO550uWS i ' 
i SE S na n ae H QuUPkeeussS ! H 
Œ Lā i - £2930502068 l i 
i i i a> Fi i H 
Ses be AKRA ETA Oe BS ie L l QOokul5kumondż | $ 
i Odzodzonoċa l i 
A i i 
i 
Pee ea ae ee Eat SE 
i A g A a ; 
i ; i 
i l i 
i : i 
i ; i 
' I ' 
i i i 
i ' i 
i en l i 
i |= 
' ikẹ Z ' 
f = 
ROOS D 
i eei = 
i hila) 6 ae i i 
i Ka £ ol i D i 
i rE E Ss ; o pUve i 
i HATI He i — eos | 
I'ES = Poo v W tezi: 
MT w L Do i o V EKO) 
iRBis 3 È i n MEue: 
BIS as tee | € 8 x £22 | 
oes o G G l 0 Fee 
a oe 3 oe H ar O Owe | 
1Q iE OO Ow i Ga ZnO se 
‘ais u Na Da NG aida Meme) alle ee eae ae i 
ia roll 8 
iSsi'sju € H 
Vislo£ i 
Qis = 
rA E aea i 
TE a Resa 
i 16 i 
ORL i 
EA ata a ial ei 
N issssssssesssssnenasssannenssaanesnsasssonsensenannensnenannannanaasneansnsaneeeesa 


RACF Event Subsystem 


The RACF Event Subsystem uses standard RACF exits to capture events of 
interest and place them on a cross memory queue. The Change Log Started 


Task moves events to the Change Log data set. The LDXSERV TSO 


command provides the Publisher channel with access to the Change Log data 


set. The LDXISSUE TSO command is used by the Subscriber channel to issue 


TSO commands and capture their output. 
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RACF Exits 


The RACF exits detect RACF activity of interest and place events in a cross 
memory queue. When the RACF exits place an event in the cross memory 
queue, they notify the Change Log Started Task. The Change Log Started Task 
then moves the event to the Change Log data set. 


Each system that shares a RACF database must run the RACF Event 
Subsystem RACF exits. 


The Common Command exit: Receives control when a RACF command is 
issued. The RACF Event Subsystem uses this exit to create an event for 
commands that affect users or groups. 


The RACROUTE REQUEST=VERIFY(X) (RACINIT) postprocessing 
exit: Receives control after user verification. The RACF Event Subsystem 
uses this exit to create an event when a user changes the password upon 
logging on to the system. 


Cross Memory Queue 


The cross memory queue is an in-storage buffer that holds events. Events are 
added to the cross memory queue by the RACF exits, and removed from the 
queue by the Change Log Started Task. The cross memory queue is located in 
Subpool 231 (fetch-protected ECSA). 


Change Log Started Task 


The Change Log Started Task is notified of events added to the cross memory 
queue by the RACF exits, and moves them to the Change Log data set. 


Each system that shares a RACF database must run the Change Log Started 
Task. The Change Log Started Task must be started as part of your normal 
MVS system initialization procedure and stopped during normal system 
shutdown. 


Change Log Data Set 


The Change Log data set stores events for processing by the Publisher 
channel. 


The Change Log data set is a standard MVS direct access (DSORG=DA) data 
set. There is one Change Log data set for the set of systems that share a RACF 
database. The Change Log data set must reside on a shared device unless the 
RACF database is not shared. 
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LDXSERV TSO Command 


LDXSERV is an APF-authorized TSO command that is used by the driver 
through a Telnet interface to access and control the RACF Event Subsystem. 


The Publisher channel calls LDXSERV to retrieve the next event from the 
Change Log data set, and to mark an event complete after processing is 
finished. 


The Subscriber channel calls LDXSERV upon startup to identify itself to the 
RACF command exit. This prevents the RACF command exit from generating 
events for RACF commands issued by the Subscriber channel (loopback). 


Syntax 


LDXSERV [ STATUS | GETNEXT | MARKDONE EVENTID(token) | NOLOG 
| LOG ] 


STATUS: Reports the status of the RACF Event Subsystem in an XML 
document. 


GETNEXT: Obtains the next event from the Change Log data set. 


MARKDONE: Marks the designated event complete in the Change Log data 
set. 


NOLOG: Causes the RACF command exit to not log events for commands 
that originate from the current address space. The Subscriber channel issues 
this command at logon to prevent loopback. 


LOG: Removes the address space token that prevents RACF commands from 
being logged. 
LDXISSUE TSO Command 


LDXISSUE is a TSO command that is used by the Subscriber channel through 
a Telnet interface to issue commands and capture their output. 


Syntax 


LDXISSUE command 


LDXISSUE executes the supplied TSO command, and returns the command 
output and return code in an XML document. 
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Publisher Channel 


The Publisher channel obtains RACF events from the Change Log data set, 
encodes them as XDS documents, and passes them to the DirXML engine. 
The Publisher channel marks events complete in the Change Log data set after 
they have been processed. 


The Publisher channel accesses the Change Log data set by issuing 
LDXSERV TSO commands through a Telnet interface. A logon ID with 
appropriate authority is required for the Telnet interface. 


Subscriber Channel 


The Subscriber channel receives XDS command documents for users and 
groups from the DirXML engine, converts them to RACF TSO commands, 
and executes them. 


The Subscriber channel does not perform validation of attribute values in the 
XDS command document. If the requirements of RACF are not met, the 
results of the RACF commands are unpredictable. 


The Subscriber channel can also execute arbitrary TSO commands generated 
in the Command class by the policies. For details, see “Using the Subscriber 
Channel Command Class” on page 73. 


The Subscriber channel uses the LDXISSUE command through a Telnet 
interface to issue TSO commands. A logon ID with appropriate authority is 
required for the Telnet interface. 


The MVS RACF Schema 


The Novell Nsure Identity Manager Driver for MVS RACF uses the MVS 
RACF schema to describe the attributes of user and group profiles in RACF. 
For a description of the MVS RACF schema, see “MVS RACF Schema” on 
page 90. For a description of how attributes in the MVS RACF schema relate 
to RACF command parameters, see “RACF Command Parameter Mapping” 
on page 106 and “Driver Processing of Attributes and Commands” on page 
127. 


Auxiliary Classes 


The Novell Nsure Identity Manager Driver for MVS RACF provides auxiliary 
classes to add MVS RACF schema attributes to User and Group objects in 
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Configuration 


eDirectory. You can use the driver to maintain the RACF attributes between 
corresponding users and groups in RACF and eDirectory. 


The behavior of a DirXML driver is governed by its configuration of options, 
policies, and filters. The configuration of the MVS RACF driver is stored in 
its driver object in eDirectory. 


A preconfigured starter set of sample policies is provided with the Novell 
Nsure Identity Manager Driver for MVS RACF. You must customize these as 
appropriate for your needs. 


For a description of the processing of the sample policies, see “Processing 
Description” on page 21. For details about customizing the driver, see Chapter 
3, “Customizing the Driver,” on page 67. 


Differences between eDirectory and RACF 


There are major differences in the way information is organized and processed 
between eDirectory and RACF. 


For example, there is not a one-to-one correspondence between the eDirectory 
and RACF representations of users, groups, and group membership. 


In eDirectory, users are represented by User objects. Groups are represented 
by Group objects. User objects have a Group Membership attribute that lists 
the groups the user belongs to. Group objects have a Member attribute that 
includes the users that belong to it. When a user is added to a group, both 
objects are modified. 


In RACF, users are represented by a user profile. Groups are represented by a 
group profile. Users and groups are associated by a connect profile. User 
profiles do not contain a list of the groups the user belongs to. Ordinary groups 
contain a list of all of their members, but universal groups do not. 


This disparity places requirements on the way the driver processes events for 
users and groups. For example, when a user is added to a group in eDirectory, 
a RACF CONNECT command must be issued to perform the equivalent 
change in RACF. 


RACF connect profiles have attributes that have no direct counterpart in 
eDirectory. These attributes control some of the privileges a user has when 


MVS RACF Driver Overview 19 


connected to the group. For example, a user can be designated as a security 
auditor for the group. 


The MVS RACF driver specifies a default set of attributes when creating 
connect profiles. You can change the way that connect profiles are created by 
modifying the Output transformation. 


While eDirectory is hierarchical, RACF is flat—there is no concept of a move 
function. RACF provides no rename function. The Subscriber channel rejects 
move and rename commands. The sample Subscriber Event policy vetoes 
move and rename events. You can change this policy to perform installation- 
specific processing of move or rename events if required. 


RACF does not perform any implicit cleanup activity when user profiles or 
group profiles are deleted. RACF installations typically perform special 
cleanup processing periodically to remove users and groups that are no longer 
used. The sample Subscriber Event policy vetoes delete group events and 
converts delete user events into a RACF revoke. You can modify these actions 
as appropriate for your installation. 


Much of the processing in the sample Input and Output policies provided with 
the MVS RACF driver deals with converting commands and events between 
their eDirectory representation and their RACF representation. 


You can change the behavior and decisions of DirXML by modifying the 
policies and filters. For more information about changing the behavior of 
DirXML, see Chapter 3, “Customizing the Driver,” on page 67. 


An overview of MVS RACF driver processing for various commands and 
events follows this topic. 


IMPORTANT: Because not all mapped attributes correspond precisely, changes made 
in eDirectory or RACF cannot always be sent round trip through the driver and return 
unchanged. Furthermore, certain RACF behavior places limitations on the faithful 
correspondence of processing between RACF and eDirectory. For more information, 
see “Driver Processing of Attributes and Commands” on page 127. 
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Processing Description 


This topic discusses the processing of commands and events by the driver and 
the preconfigured starter set of policies and filters. For information about 
customizing this processing, see Chapter 3, “Customizing the Driver,” on page 
67. 


¢ “Subscriber and Publisher Channel Processing” on page 22 
+ “Policy Summary” on page 23 

+ “Add and Modify Commands and Events” on page 28 

+ “Delete Commands and Events” on page 31 

e “Rename and Move Commands and Events” on page 32 


e “Password Synchronization” on page 33 


For a review of DirXML fundamentals, see Nsure Identity Manager 
Administration Guide (http://www.novell.com/documentation/lg/dirxm120). 
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Subscriber and Publisher Channel Processing 


22 


The Subscriber channel processes XDS commands for users and groups 
subject to the limitations of RACF. The Subscriber channel constructs RACF 
commands using the values of MVS RACF schema attributes in the XDS 
documents that it receives. Some values or combinations of values are invalid, 
not meaningful, or subject to other RACF restrictions. 


The Publisher channel generates XDS event documents based on values 
specified on RACF commands. Certain RACF command parameters and 
values, or combinations of parameters and values can cause side effects that 
are not reflected in the events that are generated. Other RACF processing, 
such as a user being revoked because of an excessive number of invalid 
password attempts, does not cause an event. Changes made directly to the 
RACF database, such as those made using ICHEINTY, do not generate events. 


For more details about driver processing for MVS RACF schema attributes, 
see 'RACF Command Parameter Mapping” on page 106. For details about the 
handling of certain special cases, see “Driver Processing of Attributes and 
Commands” on page 127. 
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Policy Summary 


The following tables summarize the preconfigured sample policies and filter. 


Schema Mapping Policy 


Class User in eDirectory corresponds to class User in MVS RACF. 


Table 1 Preconfigured Mapping Policy - Class User 


eDirectory MVS RACF 

CN DirXML-RACF-userid 

Group Membership DirXML-RACF-groups 

Login Disabled DirXML-RACF-revoked 

Login Expiration Time DirXML-RACF-revokedate 
Password Expiration Interval DirXML-RACF-password-interval 


Class Group in eDirectorv corresponds to class Group in MVS RACF. 


Table 2 Preconfigured Mapping Policv - Class Group 
eDirectorv MVS RACF 


CN DirXML-RACF-group 
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Filter 


Classes and their attributes can be synchronized or ignored by each channel. 
The flow of data is specified during installation, and can be changed later 
using iManager. The preconfigured filter contains the attributes shown in the 
following list. 


e Class User 
e CN 
+ Group Membership 
+ Login Disabled 
+ Login Expiration Time 
+ Password Expiration Interval 
+ nspmDistributionPassword 
¢ DirXML-SPEntitlements 
+ Class Group 
e CN 
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Subscriber Channel 


Policy 


Event 


Matching 


Create 


Placement 


Command 


Preconfigured Sample Policies - Subscriber Channel 


Processing 
Changes delete commands for a User object to set Login Disabled to true. 
Vetoes delete commands for a Group object. 


Vetoes rename and move commands. 


If configured to do so, vetoes all operations for objects with no association. 


If entitlements are not configured, vetoes events for User objects not in the 
specified subtree. 


Vetoes events for Group objects not in the specified subtree. 
Matches User and Group objects by CN. 


If entitlements are configured, vetoes commands for users that do not have 
the racfAccount entitlement. 


Requires the CN attribute for User and Group objects. 


If entitlements are configured, vetoes commands for users that do not have 
the racfAccount entitlement. 


Not used. 


If configured to do so, blocks subscribing to password information. 


Converts add commands with nspmDistributionPassword to use the 
password element. 


Converts modify-attr for nspmDistributionPassword to modify-password. 
If configured to do so, blocks modifies for failed password publish operations. 


If entitlements are configured, processes addition and removal of racfAccount 
entitlement according to choices made during installation. 


Adds password payload to operation data for use in e-mail notification of 
failures. 
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Policy Processing 

Output Converts DirXML-RACF-revokedate from eDirectory format to mm/dd/yy. 
Converts DirXML-RACF-password-interval from seconds to days. 
Adds RACF command parameters to RACF-groups. 
Provides default attribute values for new users. 


If configured to do so, notifies users by e-mail of failed password publications. 
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Publisher Channel 


Policy 


Input 


Event 


Matching 


Create 


Placement 


Command 


Preconfigured Sample Policies - Publisher Channel 


Processing 


Converts DirXML-RACF-revokedate from mm/dd/yy to eDirectory Time 
format. 


Converts DirXML-RACF-password-interval from days to seconds. 
Removes RACF command parameters from RACF-groups. 

Removes old-password from modify-password events. 

Converts password values (add User and modify-password) to lowercase. 
Converts user ID and group names to lowercase. 


If configured to do so, notifies users by e-mail of failed password 
subscriptions. 


Not used. 


If configured to do so, vetoes all operations for objects without an association. 


Matches User and Group objects by CN to eDirectory objects in the specified 
container. 


Generates Surname from CN for User objects. 


Requires CN and Surname for User objects. Requires CN for Group objects. 
Places User and Group objects in the specified container. 

If configured to do so, blocks publishing passwords. 

If configured to do so, publishes passwords to nspmDistributionPassword. 

If configured to do so, blocks publishing passwords to NDs® password. 


Adds password payload to operation data for use in e-mail notification of 
failures. 


MVS RACF Driver Overview 27 


Add and Modify Commands and Events 


This section describes how certain attributes of User and Group objects are 
processed by the preconfigured sample policies for add and modify 
commands and events. All other schema attributes are passed unchanged if 
allowed by the filters. 


CN — DirXML-RACF-userid and DirXML-RACF-group 


Surname 


The CN attribute of an eDirectory User object is mapped by the Schema 
Mapping policy with the DirXML-RA CF-userid attribute of a RACF User 
object. 


The CN attribute of an eDirectory Group object is mapped by the Schema 
Mapping policy with the DirXML-RA CF-group attribute of a RACF Group 
object. 


Publisher Channel 


The CN attribute value for an add event is converted to lowercase by the 
sample Input policy. 


Surname is a mandatory attribute for an eDirectory User object. 
Subscriber Channel 
The Subscriber channel does not use the Surname attribute. 


Publisher Channel 


The sample Publisher Create policy inserts the Surname attribute for an add 
event, using the value of the CN attribute. 


Login Disabled — DirXML-RACF-revoked 


Logon Disabled and DirXML-RA CF-revoked, if set to true, prevent the user 
from accessing the system. 


The Login Disabled attribute of an eDirectory User object is mapped by the 
Schema Mapping policy with the DirXML-RA CF-revoked attribute of a 
RACF User object. 
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For details about the interaction of RACF REVOKE and RESUME dates for 
a user, see your RACF documentation. 


Login Expiration Time — DirXML-RACF-revokedate 


Login Expiration Time specifies a date and time after which an eDirectory 
user cannot log in. 


DirXML-RACF-revokedate specifies a starting date for when a RACF user 
cannot enter the system. For details about the interaction of RACF REVOKE 
and RESUME dates for a user, see your RACF documentation. 


The Login Expiration Time attribute of an eDirectory User object is mapped 
by the Schema Mapping policy with the DirxXML-RACF-revokedate attribute 
of a RACF User object. 


Subscriber Channel 


If a value for the Login Expiration Time attribute is present in an add or 
modify command for a User object, the sample Output policy converts the 
value from eDirectory Time format to the mm/dd/yy format used by RACF. 


Publisher Channel 


If a value for the RACF-revokedate attribute is present in an add or modify 
event for a User object, the sample Input policy converts the value from the 
mm/dd/yy format used by RACF to eDirectory Time format. 


Password Expiration Interval — DirXML-RACF-password-interval 


Password Expiration Interval and DirXML-RACF-password-interval specify 
how long a password remains valid. 


The Password Expiration Interval attribute of an eDirectory User object is 
mapped by the Schema Mapping policy with the DirXML-RA CF-password- 
interval attribute of a RACF User object. 


The eDirectory Password Expiration Interval value is in seconds. The 
DirXML-RACF-password-interval value is in days, and must be between 1 
and 254 inclusive. 


Subscriber Channel 


If a value for the DirXML-RACF-password-interval attribute is present in an 
add or modify command for a User object, the sample Output policy converts 


MVS RACF Driver Overview 29 


the value from number of seconds to number of days. If the number of days is 
less than 1, the value is set to 1. If the number of days is greater than 254, the 
value is set to 254. 


Note that the value actually used by RACF is affected by the value, if any, 
specified using the INTERVAL operand of the SETROPTS command. 


Publisher Channel 


If a value for the DirXML-RACF-password-interval attribute is present in an 
add or modify event for a User object, the sample Input policy converts the 
value from number of days to number of seconds. 


Group Membership — DirXML-RACF-groups 


The Group Membership attribute of an eDirectory User object lists the groups 
the user belongs to. 


The DirXML-RA CF-groups attribute of a RACF User object lists the groups 
the user belongs to, together with related CONNECT or REMOVE command 
parameters. 


The Group Membership attribute of an eDirectory User object is mapped by 
the Schema Mapping policy with the DirxXML-RACF-groups attribute of a 
RACF User object. 


An add-value to a User object’s group membership is processed as a RACF 
CONNECT command by the Subscriber channel. A remove-value is 
processed asa RACF REMOVE command. The sample Output policy 
appends a default set of parameters for these commands to the value element. 
You can modify these parameters according to your own business 
requirements. For details, see Chapter 3, “Customizing the Driver,” on page 
67. 


The value element for an add-value to a user’s Group Membership constructed 
by the Publisher channel contains the group name followed by the parameters 
from the RACF CONNECT command. Similarly, the value element for a 
remove-value includes parameters from the RACF REMOVE command. 


Subscriber Channel 


Ifa DirXML-RACF-groups attribute is present in an add or modify command 
for a User object, the sample Output policy adds RACF information as 
follows: 
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+ For an add-attr, remove-value, or add-value element, if there is no 
association-ref, the value is discarded. 


+ A default set of parameters for the CONNECT (for an add-attr or add- 
value element) command is appended to each value element. No 
parameters are added for the REMOVE (for a remove-value element) 
command by the sample policy, but an example is provided in the 
comments to guide you if you choose to add your own. 


Publisher Channel 


Ifa DirXML-RACF-groups attribute is present in an add or modify event, the 
sample Input policy operates as follows: 


+ The CONNECT or REMOVE command parameters are removed from 
the group name values. 


+ The group name values are converted to lowercase. 


Delete Commands and Events 


The RACF DELUSER command does not perform access list or resource 
ownership cleanup when deleting a user. This could result in security 
exposures if a new user is created with the same name as a deleted user with 
residual references. 


The RACF DELGROUP command does not clean up references to a group 
from such places as resource access lists, and cannot be used to delete a 
universal group. 


IBM recommends that you use the RACF Remove ID utility (IRRRIDOO) 
when deleting users and groups. For more information, see your Security 
Server RACF Security Administrators Guide. 


Subscriber Channel 


The preconfigured sample Subscriber Event policy converts a delete 
command for a user into a modify command for the user, setting the Login 
Disabled attribute to true. 


The preconfigured sample Subscriber Event policy vetoes delete commands 
for Group objects. 
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Rename and Move Commands and Events 
RACF does not provide a rename function. 


The RACF database is not hierarchical. There is no move function. 


Subscriber Channel 


The preconfigured sample Subscriber Event policy vetoes rename and move 
commands. If you change the policies so that rename or move commands 
reach the Subscriber channel, the Subscriber channel rejects them with an 
error status. 


Publisher Channel 


The Publisher channel does not produce rename or move events. 
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Password Synchronization 


DirXML uses the nspmDistributionPassword attribute to provide passwords 
from eDirectory. 


The Publisher channel of the driver uses password elements for add events to 
provide password information. The Publisher channel uses modify-password 
events for password changes. 


You can specify configuration options to control the processing of passwords 
by the preconfigured sample policies. 


For more details about Identity Manager password synchronization, see Nsure 
Identity Manager Administration Guide (http://www.novell.com/ 
documentation/Ig/dirxm120). 


Subscriber Channel 


Based on configuration options that you specify, the Subscriber Command 
policy controls the processing of passwords in the Subscriber channel. 


+ You can block the subscription of passwords. 


For details about configuring password processing options, see “Setting 
Global Configuration Values” on page 61. 


When the password is changed in eDirectory, DirXML sends a modify XDS 
command to the Subscriber channel. 


<modify class-name="User" src-dn="\DAL\users\eleu"> 
<association>USER\ELEU</association> 
<modify-attr attr-name="nspmDistributionPassword"> 
<remove-all-values/> 
<add-value> 
<value>secret</value> 
</add-value> 
</modify-attr> 
</modify> 


The Subscriber Command policy changes this to a modify-password event. 


<modify-password class-name-'User' src-dn="\DAL\users\eleu"> 
<association>USER\ELEU</association> 
<password>secret</password> 

</modify-password> 


The Subscriber channel converts this to an ALTUSER TSO command and 
issues the command through the Telnet interface. 
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Publisher Channel 


ALTUSER ELEU NOEXPIRED PASSWORD (SECRET) 


MVS requires that passwords be one to eight alphanumeric characters. An 
installation can define additional password syntax rules. The ALTUSER 
command rejects invalid or nonconforming passwords. 


When a RACF user password is changed, either during logon, by the use of 
the PASSWORD command, or by the ALTUSER command, the RACF Event 
Subsystem adds a corresponding event to the Change Log data set. The 
Publisher channel obtains the event and encodes it as an XDS event. 


<modify-password class-name-'user' src-dn="\ELEU"> 
<association>USER\ELEU</association> 
<old-password>GUESS<old-password> 
<password>SECRET<password> 

</modify-password> 


Based on configuration options that you specify, the Publisher Command 
policy controls the processing of passwords in the Publisher channel. 


+ You can block the publication of passwords. 


+ You can specify that passwords be published to 
nspmDistributionPassword. 


+ You can specify that passwords be published to the NDS password. 


For details about configuring password processing options, see “Setting 
Global Configuration Values” on page 61. 


For changes to the NDS password in eDirectory, if the old-password element 
is present, DirXML uses the modifyPassword API to modify the password. If 
the old-password element is not present, DirXML uses the GenerateKeyPair 
API. Note that using GenerateKeyPair can invalidate authentication 
credentials for any existing session authenticated as the target object. 


The preconfigured sample Input policy removes the old-password element 
from the event. 


<xsl:template match="old-password"/> 


You can comment this out if you prefer that the modifyPassword API be used. 
If the ALTUSER command is used to change the password, the old password 
is not available. 
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MVS passwords are case-insensitive. The preconfigured sample Input policy 
converts passwords to lowercase. If you are using Universal Password, which 
is case-sensitive, you should consider the handling of passwords by MVS in 
your deployment planning. 


The modify-password Event After the Input Policy 


<modify-password class-name-'user' src-dn="\ELEU"> 
<association>USER\ELEU</association> 
<password>secret<password> 

</modify-password> 
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Installing the Novell Nsure Identity 
Manager Driver for MVS RACF 


The Novell® Nsure™ Identity Manager Driver for MVS RACF includes two 
parts. They are installed in separate operations. 


1. The RACF Event Subsystem: Serves as an interface between the driver 
shim and RACF. 


The RACF Event Subsystem must be installed on each system that shares 
the RACF database. 


2. The driver shim: Provides the conduit for information transfer between 
eDirectory™ (through DirXML®) and the RACF Event Subsystem. 


The driver shim can be installed on an MVS system that runs the RACF 
Event Subsystem, and configured to use the Java* Remote Loader; or the 
driver shim can be installed on a server that runs eDirectory. 


The driver shim communicates with the RACF Event Subsystem through 
Telnet connections. Unless your network provides the level of security 
required to ensure the privacy of data transmitted over these Telnet 
connections, we recommend that you install the driver shim on an MVS 
system with the RACF Event Subsystem and configure the Telnet 
connections to use localhost. 


Before you install the Novell Nsure Identity Manager Driver for MVS RACF 
in a production environment, you should install the driver in a test 
environment for use in developing your full deployment plan. 
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Software Requirements 


+ Novell Nsure Identity Manager 2 or later. 

+ iManager 2.0.2 or later. 

+ Any OS/390* or z/OS release supported by IBM. 
+ RACF 1.9 or later. 


+ Use of the Java Remote Loader requires Java on the MVS system. For 
details, see “Installing the Driver Shim on MVS Using the Java Remote 
Loader” on page 52. 

IMPORTANT: Before you begin your installation, check the Novell Support Web site 


(http://support.novell.com) for the latest support pack and product update information, 
and review the Release Notes and Readme files. 


Other Requirements 


Before placing the Novell Nsure Identity Manager Driver for MVS RACF in 
a production environment, you should have a clear deployment strategy in 
place. The detailed planning of a deployment solution that is necessary to meet 
a given installation’s unique business needs is beyond the scope of this guide. 
For technical information about customizing the driver, see Chapter 3, 
“Customizing the Driver,” on page 67. 


Although different tasks can be performed by different people, your 
installation and deployment team must collectively have expertise with 
eDirectory, iManager, DirXML, MVS, RACK, and XSLT. 


Full administrative rights are required, both in eDirectory and on MVS. 
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Overview of the Installation Process 


The following outline summarizes the steps to install Novell Nsure Identity 
Manager Driver for MVS RACF. Details about each step can be found in the 
topics that follow this outline. 


1 Install the RACF Event Subsystem on each MVS system that shares the 
RACF database. 


For details, see “Installing the RACF Event Subsystem” on page 41. 
Installing the RACF Event Subsystem includes the following tasks: 
1a “Setting Up the Libraries on Your MVS System” on page 42 

1b “Allocating and Initializing the Change Log Data Set” on page 44 
1c “Setting Up the Change Log Started Task” on page 45 

1d “Authorizing the LDXSERV TSO Command” on page 46 

1e “Installing the LDXPROC TSO Logon Procedure” on page 46 


1f “Creating an Administrative User ID for the Driver TSO Session” on 
page 47 


1g “Testing the RACF Event Subsystem before Installing the RACF 
Exits” on page 48 


fh “Installing the RACF Exits” on page 49 
1 


“Testing the Completed RACF Event Subsystem Installation” on 
page 50 


2 Install the driver shim. 
For details, see “Installing the Driver Shim” on page 51. 


You can use the Remote Loader and install the driver shim on an MVS 
system with the RACF Event Subsystem, or you can install the driver 
shim on a system with eDirectory. 


2a “Installing the Driver Shim on MVS Using the Java Remote Loader” 
on page 52 


or 
2b “Installing the Driver Shim on an eDirectory Server” on page 56 
3 Add the auxiliary classes to the schema. 


For details, see “Installing Auxiliary Classes” on page 57. 
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4 Set up the initial driver configuration. 

4a “Setting Up the Driver” on page 57. 

4b “Customizing the Policy Starter Set” on page 66. 
5 Activate the driver. 


DirXML drivers must be activated within 90 days of installation, or they 
will shut down. At any time during the 90 days, or afterward, you can 
activate DirXML products to a fully licensed state. For further 
information, see “Activating the Driver” on page 66. 


After you have installed and tested the preconfigured Novell Nsure Identity 
Manager Driver for MVS RACF, implement the deployment plan that you 
have developed to meet your own specific business requirements. 
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Installing the RACF Event Subsystem 


An experienced MVS system programmer familiar with the use of RACF at 
the local installation should install the RACF Event Subsystem. You should 
plan about a day to perform the installation tasks. Because the RACF exits 
reside in LPA, an IPL is required to complete the installation. 


To publish RACF events to eDirectory, you must install the RACF Event 
Subsystem on each system that shares the RACF database. 


If you will only subscribe to eDirectory commands, you need only one 
instance of the RACF Event Subsystem. You do not need to install the RACF 
exits, you do not need to run the Change Log Started Task, and you do not need 
a Change Log data set. 


The instructions that follow assume that you will install both the Publisher and 
Subscriber channels. 
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Setting Up the Libraries on Your MVS System 


The RACF Event Subsystem is packaged as TRANSMIT unloaded MVS 
partitioned data sets (PDS). 


e Samples Library: LDXSAMP.XMT 
Contains sample cataloged procedures and other JCL. 


¢ Load Library: LDXLOAD.XMT 
Contains executable code. 


To prepare the samples library and load library for use: 
1 Use ftp to upload these files to your MVS system from a PC or file server. 
1a FTP vour-MVS-hostname 
1b Authenticate to MVS using your user ID and password. 
1c QUOTE SITE LRECL=80 RECFM=FB 


1d Ifyou need the files to be stored on a specific disk volume, enter 
QUOTE SITE VOL=volser 


1e BINARY 
1f PUT LDXSAMP.XMT 
1g PUT LDXLOAD.XMT 
1h QUIT 
2 Use RECEIVE to unpack the samples and load library data sets. 


2a Log on to MVS using the same user ID that you used for the ftp 
session. The names of the files you sent begin with your user ID 
unless you have changed your TSO profile prefix. 


2b Enter 
RECEIVE INDATASET (LDXSAMP. XMT) 


When RECEIVE prompts you for parameters, enter 

DSNAME (' hlq.SAMPLIB') VOLUME (volser) 

where: hlg.SAMPLIB is the name you want to give the samples 
library, and volser is the volume where the samples library is to be 
created. 


2c Enter 
RECEIVE INDATASET (LDXLOAD.XMT) 
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When RECEIVE prompts you for parameters, enter 

DSNAME ('hlg.LDXLOAD') VOLUME (volser) 

where: hlg.LDXLOAD is the name you want to give the load library, 
and volser is the volume where the load library is to be created. 


HINT: RECEIVE errors are typically caused by failure to specify BINARY transfer 
type or LRECL and RECFM parameters when transferring the files to MVS with ftp. 


3 Add the LDX load library to the APF list. 


Use the PARMLIB IEAAPFxx or PROGxx member as appropriate. If you 
use the dynamic APF facility, you can use the SET PROG command to 
activate your changes. Otherwise, you must IPL for the change to take 
effect. 
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Allocating and Initializing the Change Log Data Set 


The Change Log data set is a standard MVS direct access data set. The Change 
Log data set must reside on a shared device unless it is used by only a single 
system. 


Create one Change Log data set. It is shared by each MVS system that shares 
the RACF database. 


The Log File utility LDXUTIL is used to initialize the Change Log data set. 
The Change Log data set must be initialized before you start the Change Log 
Started Task for the first time. 


To allocate and initialize the Change Log data set: 
1 Customize the samples library member LOGINIT. 


Update the JCL to conform to your local installation requirements, and 
specify 


+ The name of your LDX load library. 
+ A name for your Change Log data set. 


+ The shared disk volume where the Change Log is to be allocated. 
Specify a different unit name if appropriate. 


2 Run the LOGINIT job. 
An IECO311 D37 message is normal and should be ignored. 


3 Ensure that your Change Log data set is given RACF protection 
appropriate for the sensitive nature of its contents. 


WARNING: If you initialize a Change Log data set that contains data, the data is lost. 
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Setting Up the Change Log Started Task 


1 Copy member LDXLOGRP from the samples library to your started task 
procedure library (SYS1.PROCLIB or its equivalent). You can give the 
Change Log Started Task a different name if necessary. 


2 Update the JCL to specify 
+ The name of your LDX load library 
+ The name of your Change Log data set 


3 Add the Change Log Started Task to your system startup and shutdown 
procedures. 


For information about starting and stopping the Change Log Started Task, 
see “Starting the Change Log Started Task” on page 79 and “Stopping the 
Change Log Started Task” on page 80. 


The Change Log Started Task should be started during your IPL 
procedure before user processing begins. Any RACF events of interest 
that occur are stored in the cross memory queue until the Change Log 
Started Task has initialized. 


The Change Log Started Task should be stopped during your system 
shutdown procedure after all user processing has ended. Any RACF 
events of interest that occur after the Change Log Started Task shuts down 
remain in the cross memory queue and are lost when the system is shut 
down. 


4 Review your Workload Manager definitions to ensure that the Change 
Log Started Task is assigned to a Service Class appropriate for its role. 
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Authorizing the LDXSERV TSO Command 


LDXSERV requires APF authorization. LDXSERV resides in the LDX load 
library, which you added to the APF list in Step 3 on page 43. You must also 
add LDXSERV to the list of authorized TSO commands. 


To authorize the LDXSERV TSO command: 


1 Add LDXSERV to the AUTHCMD NAMES(...) statement in member 
IKJTSOxx of SYS1.PARMLIB or its equivalent. 


Example: 


AUTHCM 


D NAMES 
..other commands... + 
i\DXSERV) 


( + 


For more information about IKJTSOxx, see the Mitialization and Tuning 
Reference for your system. 


2 Use the PARMLIB TSO command to activate your changes. 


Example: 


PARM 
PARM 


IB CH 


ECK 


LIB UP 


DAT! 


( 


00) 
(00) 


For more information about the PARMLIB command, see the TSO/E 
System Programming Command Reference for your system. 


NOTE: The LDXISSUE command does not require APF authorization. 


Installing the LDXPROC TSO Logon Procedure 


The LDXPROC TSO logon procedure provides the environment needed by 
the driver TSO sessions. 
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To set up the LDXPROC logon procedure: 


1 Copy member LDXPROC from the samples library to your TSO logon 
procedure library. You can give the logon procedure a different name if 
necessary. 


2 Update the JCL to specify the name of your LDX load library on the 
STEPLIB DD statement. 
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Creating an Administrative User ID for the Driver TSO Session 


The Subscriber channel uses the administrative user ID primarily to issue 
RACF commands. The Publisher channel uses the administrative user ID 
primarily to access the Change Log data set. 


To set up the administrative user ID: 
(Do this once for each set of systems that share a RACF database.) 


1 Define the user with the ADDUSER command. 


Specify values for the various parameters as appropriate for your 
standards. There are no restrictions placed by the driver on the name of 
the user ID. 


The user ID used by the driver must be given the RACF SPECIAL and 
TSO attributes, and must have no restrictions placed on it that could 
prevent its intended processing. 


Example: 


ADDUSER LDXUSER DFLTGRP (mygroup) - 
NAME ('RACF DRIVER') PASSWORD (initial) SPECIAL - 
TSO (PROC (LDXPROC) SIZE (32768) ) 


2 Set the password of the user ID to never expire. 


Example: 


PASSWORD USER(LDXUSER) NOINTERVAL 


3 Reset the password of the user ID and mark it not expired. (RACF marks 
the value specified on the ADDUSER command as being expired.) 


Example: 


ALTUSER LDXUSER NOEXPIRED PASSWORD (xxx) 


When you set up the Driver object, you specify the user ID and password you 
create here. For details, see “Setting Up the Driver” on page 57. 
Changing the Password of the Administrative User ID 


To change the password of the administrative user ID after installation has 
been completed: 


1 Use the ALTUSER command as shown in Step 3 on page 47. 


2 Update the driver configuration with the new Application Password. 
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For details, see “Configuring Driver Parameters after Setup Has Been 
Completed” on page 64. 


Testing the RACF Event Subsystem before Installing the RACF Exits 


You can use the LDXSERV command to test your installation before you 
install the RACF exits. 


To test the RACF Event Subsystem: 
1 If itis not already running, start the Change Log Started Task. 


For information about starting the Change Log Started Task, see “Starting 
the Change Log Started Task” on page 79. 


2 Log onto TSO using the administrative user ID you created for the driver. 


3 Issue the command 
LDXSERV STATUS 


Examine the output of the command. You should see information about 
the cross memory queue, information about the Change Log Started Task, 
and a valid, empty Change Log data set. 


For details about interpreting LDXSERV STATUS output, see “Output of 
the LDXSERV STATUS Command” on page 83. 
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Installing the RACF Exits 


Follow your normal procedure for applying such changes to your MVS 
system. We recommend that you 
¢ Install and test the exits on a test system or partition first. 
+ Make a copy of your system volumes before applying any changes. 
+ Consider packaging the exits as SMP/E usermods. 
To install the RACF exits: 


1 Install LDXEVX01, the Common Command exit, using the Dynamic 
Exit Facility. 


For testing, we recommend that you set up two PROGxx members in 
SYS1.PARMLIB (or equivalent), to allow for easy removal of the exit if 
desired. 


1a Edit SAMPLIB members PROGAD and PROGDL. Change <LDX 
load library> to your LDX load library name. 


1b Copy these two members to your system PARMLIB data set. If you 
already have a PROGAD or PROGDL member, rename the LDX 
members to a PROGxx name that’s not in use. 


1c When ready, use the console command SET PROG=AD to activate 
LDXEVX01 as an IRREVXOI exit point. 


1d To uninstall the LDX exit, issue SET PROG=DL as a console 
command. 


For permanent installation, do one of the following: 


+ Add the EXIT ADD statement in PROGAD to your production 
PROGxx PARMLIB member. 


+ Adda SET PROG=AD command to CONSOLOO or an automation 
script, so that it is issued during your IPL procedure. 


2 Install ICHRIX02, the RACROUTE REQUEST=VERIFY(X) 
(RACINIT) postprocessing exit. 


+ Ifyou do not have an existing ICHRIX02 exit, run the job in the 
samples library member RIXOA. This job uses SMP/E to linkedit 
LDXRIXO2 into SYS1.LPALIB as exit ICHRIX02. 
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+ Ifyou have an existing ICHRIX02 exit, update samples library 
member RIXOB as appropriate. RIXOB installs a router that calls the 
driver postprocessing exit and your existing exit. 


NOTE: To uninstall this exit, use the SMP/E RESTORE function and then IPL with 
the CLPA option. 


3 After you have installed these two exits, IPL the MVS system with the 


CLPA option. 


Testing the Completed RACF Event Subsystem Installation 
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To test the complete RACF Event Subsystem before installing the driver shim: 
1 If itis not already running, start the Change Log Started Task. 


For information about starting the Change Log Started Task, see “Starting 
the Change Log Started Task” on page 79. 


Perform some actions to exercise the two RACF exits and create some 
sample events. 


2a Change a password using the logon screen. 
2b Create new user ID. 
Log on to TSO using the administrative user ID you created for the driver. 


Issue the command 
LDXSERV STATUS 


Examine the output of the command. You should see the RACF exits 
loaded, information about the cross memory queue, information about the 
Change Log Started Task, and a valid, non-empty Change Log data set. 


For details about interpreting LDXSERV STATUS output, see “Output of 
the LDXSERV STATUS Command” on page 83. 
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Installing the Driver Shim 


You can install the driver shim on an eDirectory server, or you can use the Java 
Remote Loader to install the driver shim on MVS. 


Because the driver shim uses Telnet to access the RACF Event Subsystem, we 
recommend that you use the Remote Loader. If your network security can 
ensure the privacy of the transmitted data, you can install the driver shim on 
an eDirectory server. 


Use the set of installation instructions in the section that corresponds to the 
location you select. 


e “Installing the Driver Shim on MVS Using the Java Remote Loader” on 
page 52 


e “Installing the Driver Shim on an eDirectory Server” on page 56 
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Installing the Driver Shim on MVS Using the Java Remote Loader 
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You can choose to install the driver shim on an MVS system that runs the 
RACF Event Subsystem, or you can choose to install the driver shim on an 
eDirectory server. 


This section describes installing the driver shim on MVS. For information 
about installing the driver shim on an eDirectory server, see “Installing the 
Driver Shim on an eDirectory Server” on page 56. 


If you choose to install the driver shim on MVS, you can install the driver shim 
on any MVS system that runs the RACF Event Subsystem. The Telnet 
connection uses localhost in this case. 


Before you can install the driver shim on MVS, you must install the Java 
Remote Loader. The Java Remote Loader requires Java. If you have not 
already installed Java on MVS, you must install it first. 


+ “Installing Java on MVS” on page 53 
e “Installing the DirXML Java Remote Loader” on page 54 
+ “Installing the Driver Shim” on page 55 
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Installing Java on MVS 


The Java Remote Loader requires Java. If you have not installed and 
configured Java on the target MVS system, you must do so now. 


To install Java on MVS: 


1 Obtain and install Java 2 Technology Edition from the IBM Java 2 on the 
OS/390 and z/OS Platforms Web site (http://www.ibm.com/servers/ 
eserver/zseries/software/java). 


Install Java version 1.4 if you use z/OS 1.4 or later. Install Java version 
1.3.1 for earlier systems. 


Be sure to install the prerequisite APARs, and to review the install 
information, restrictions, and other considerations detailed on the Web 
site. 


2 Add following lines to your /etc/profile: 


f Java installation directory 
export JAVA HOME-vour Java Installation Directory 
export PATH-SJAVA HOME/bin:$PATH 


Substitute the name of your Java installation directory for 
your_Java_Installation_Directory. Example: 


export JAVA HOME-/usr/lpp/java/IBM/J1.4 


Java 1.3 and 1.4 do not require a classpath for standard Java classes as long as 
the directorv structure is maintained. 


Java runtime options can be passed using the environment variable 
IBM JAVA OPTIONS. For example, to turn on verbose mode: 


export IBM JAVA OPTIONS--verbose 
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Installing the DirXML Java Remote Loader 


Table 5 


To install the Java Remote Loader Service on MVS: 


1 Create a directory on your MVS system to contain the Java Remote 


Loader and driver shim. For example: /usr/dirxml. 


2 Obtain the Java Remote Loader package dirxml_jremote.tar.gz from the 
Nsure Identity Manager installation and place it on a workstation that has 
a file compression utility and ftp access to the MVS system. 


3 Use the file compression utility to extract the files from the package to a 


temporary directory. For example: c:\temp\dirxml. 


This creates the following files and directories in your temporary 


directory: 


Files in Temporary Directory 


File 
config8000.txt 
create_keystore 
dirxml_jremote 
lib 


doc 


Contents 


sample configuration file 


sample script to create keystore 


sample script to run Remote Loader 


java .jar files 


documentation 


4 Use ftp to upload the files to MVS. 


FTP Transfer Type 
ascii 

ascii 

ascii 

binary 


ascii 


Be sure to use the appropriate ftp transfer type (binary or ascii) as shown 
in the preceding table. 


cd c:\temp\dirxml 
ftp your mvs system 


your user ID 


your password 


ascii 


cd /usr/dirxml 


mkdir doc 
mkdir lib 
mput * 
cd doc 


mput doc\*.* 


binary 
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5 


6 
7 


Cd: a0 AIID 

mput lib\*.* 

quit 

Edit the two sample scripts create_keystore and dirxml_jremote, and 
remove the logic pertaining to checking for installed Java version. (The 
which command used by this logic is not available on MVS.) 


Edit dirxml jremote to add ./lib to the CLASSPATH. 


Copy xds.jar from the Nsure Identity Manager installation to ./lib. 


Installing the Driver Shim 


To install the driver shim to your MVS system: 


1 


2 


Obtain racfshim.tar from the distribution and place it on a workstation 
that has a file compression utility and ftp access to the MVS system. 


Use the file compression utility to extract RACF jar from racfshim.tar to 
a temporary directory. For example: c:\temp\shim 


Use ftp to upload RACF jar to the Remote Loader lib directory on MVS. 
Use the binary ftp transfer type for RACF jar. 


cd c:\temp\shim 

ftp your mvs system 
your user ID 

your password 
binary 

cd /usr/dirxml/lib 
mput RACF.jar 

quit 
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Installing the Driver Shim on an eDirectory Server 


You can choose to install the driver shim on an MVS system that runs the 
RACF Event Subsystem, or you can choose to install the driver shim on an 
eDirectory server. 


This section describes installing the driver shim on an eDirectory server. For 
information about installing the driver shim on MVS, see “Installing the 
Driver Shim on MVS Using the Java Remote Loader” on page 52. 


To install the driver shim on an eDirectory server, locate the installation 
executable for your OS in the distribution, run it, and respond to the prompts. 


¢ The directory to install the driver to 
¢ The DirXML library path 
+ The iManager installation path 
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Installing Auxiliary Classes 


An auxiliary class is a set of attributes that are added to particular eDirectory 
object instances rather than to an entire class of objects. You can use the 
racf.sch file to add RACF attributes for eDirectory User and Group objects. 


Setting Up the Driver 
After you have installed the various components, you must create a Driver 
object and configure it for operation. 
e “Creating and Configuring the Driver Object” on page 58 
+ “Setting Global Configuration Values” on page 61 


+ “Configuring Driver Parameters after Setup Has Been Completed” on 
page 64 
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Creating and Configuring the Driver Object 
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1 In iManager, select DirXML Utilities > Create Driver, and designate the 
driver set for the new driver. 


2 Choose Import a Driver Configuration from the Server > RACF.xml. 


3 Specify driver configuration information. 


+ 


+ 


Driver Name: Specify a name for your driver. 


Enable Role-Based Entitlements: Choose whether or not you want 
this driver configured to use entitlements. 


RACF Host Address: Specify the IP address or DNS name the 
driver should use for its Telnet interface to the RACF system. 


If the driver uses the Remote Loader, specify 127.0.0.1, which is the 
local host. 


RACF Telnet Port: Specify the Telnet port number the driver should 
use. This should normally be 23. 


Administrator: Specify the name of the administrative user ID you 
created for the driver in Step 1 on page 47. 


Administrator Password: Specify the password you specified for 
the administrative user ID in Step 3 on page 47. 


RACF TSO Name: Specify the APPLID the driver should use on its 
VTAM logon command to access TSO. 


RACE TSO Account Number: Specify the account number 
information the driver should provide on the TSO logon screen for 
the administrative user ID. 


RACF TSO Procedure: Specify the TSO logon JCL procedure 
name the driver should provide on the TSO logon screen for the 
administrative user ID. 
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+ Configure Data Flow: Choose the data flow configuration you want 
set in the filter. 


+ To synchronize in both the Publisher and Subscriber channels, 
choose Bi-directional. 


¢ To synchronize only for the Publisher channel, choose RACF to 
eDirectory. 


¢ To synchronize only for the Subscriber channel, choose 
eDirectory to RACF. 


+ Polling Interval: Specify the number of seconds the Publisher 
Channel should wait after processing all available events before 
issuing the next LDXSERV GETNEXT command to see if new 
events are available for processing. 


+ Heartbeat Interval: Specify the minimum number of minutes 
between publication heartbeat documents. To disable heartbeat 
document publication, set this value to zero. 


¢ Users Container: Specify the eDirectory container where users are 
to be synchronized. 


+ Groups Container: Specify the eDirectory container where groups 
are to be synchronized. 


¢ Default Group: Specify the default group for new RACF users. 


+ Use Default Matching Rules: Choose whether or not the default 
Matching policies are enabled. 


You should not use the preconfigured sample default Matching 
policies for a production environment without a careful review of 
installation-dependent considerations. 


+ Install Driver As Remote/Local: Specify whether the driver is to 
use the Remote Loader or to run local to the eDirectory server. 


Installing the Novell Nsure Identity Manager Driver forMVS RACF 59 


60 


The following options pertain only to configurations that use the Remote 
Loader. 


+ 


Remote Host Name and Port: Specify the IP address or DNS name 
and TCP port number to be used to access the Remote Loader 
service. 


Driver Password: Specify the driver object password used by the 
Remote Loader to authenticate itself to the DirXML server. It must 
be the same password that is specified as the Driver Object Password 
on the DirXML Remote Loader. 


Remote Password: Specify the Remote Loader password used by 

DirXML to authenticate itself to the Remote Loader. It must be the 
same password that is specified as the Remote Loader password on 
the DirXML Remote Loader. 


Define appropriate Security Equivalences for the Driver object so that it 
can perform the necessary eDirectory operations. 


Exclude Administrative roles from replication. 


Restart eDirectory. 


Start the driver: 


Ta In iManager, select DirXML Management > Overview. 


7b Locate the driver in its driver set. 


7c Click the driver status indicator in the upper right corner of the driver 


icon and click Start Driver. 
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Setting Global Configuration Values 


After you have created and configured the Driver object, review the Global 
Configuration Values settings and customize them as appropriate. 


To review and change global configuration values: 


1 In iManager, select DirXML Management > Overview. 


2 Select the driver set containing the driver, click the driver icon to see the 
driver overview, then click the driver icon again to edit driver parameters. 


3 Click DirXML > Global Config Values. 
4 Update the values as desired, then click OK. 


+ 


Action on Applying RACF Account Entitlement: Specifies the 
policy action to be taken for a RACF user when it is granted the 
RACF Account Entitlement. 


Action on Removing RACF Account Entitlement: Specifies the 
policy action to be taken for a RACF user when its RACF Account 
Entitlement is removed. 


RACF Accepts Passwords from DirXML Data Store: Specifies 
whether or not the policies permit password values to flow from 
eDirectory to RACF. 


DirXML Accepts Passwords from RACF: Specifies whether or 
not the policies permit password values to flow from RACF to 
eDirectory. 


Publish Passwords to NDS Password: Specifies whether or not the 
policies publish passwords to the NDS® password in eDirectory (if 
DirXML accepts passwords from RACF). 


Publish Passwords to Distribution Password: Specifies whether 
or not the policies publish passwords to the eDirectory Distribution 
Password (if DirXML accepts passwords from RACF). 


Require Password Policy Validation Before Publishing 
Passwords: Specifies whether or not eDirectory password policies 
are enforced for passwords being published from RACF. 


IMPORTANT: Ensure that your password policies are compatible with RACF 
password rules and restrictions before enabling this facility. 


Reset User's External System Password to the DIrXML 
Password on Failure: Specifies whether or not the RACF password 
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is to be reset from the eDirectory password if an eDirectory password 
change fails. 


IMPORTANT: Ensure that your password policies are compatible with RACF 
password rules and restrictions before enabling this facility. 


+ Notify the User of Password Synchronization Failure via E-mail: 
Specifies whether or not message is to be sent to the user if a 
password synchronization fails. 


For information about e-mail notification prerequisites and 
configuration, see Configuring E-Mail Notification in the Nsure 
Identity Manager Administration Guide (http://www.novell.com/ 
documentation/Ig/dirxm120). 


+ Connected System or Driver Name: Specifies the name to be used 
to identify the RACF system to the user in password synchronization 
failure messages. 


¢ Users Container: Specifies the eDirectory container where users are 
to be synchronized. 


+ Groups Container: Specifies the eDirectory container where groups 
are to be synchronized. 


¢ Default TSO Acctnum: Specifies the default TSO accounting 
information for new RACF users. 


¢ Default TSO Maxsize: Specifies the default TSO MAXSIZE value 
for new RACF users. 


¢ Default TSO Procedure: Specifies the default TSO logon procedure 
name for new RACF users. 


¢ Default TSO Size: Specifies the default TSO SIZE value for new 
RACF users. 


¢ Default Group: Specifies the default group for new RACF users. 


+ Use Default Matching Rules: Specifies whether or not the default 
Matching policies are enabled. 


You should not use the preconfigured sample default Matching 
policy for a production environment without a careful review of 
installation-dependent considerations. 


The default Subscriber Matching policy matches User objects 
without an association by CN. RACF does not use a hierarchical 
directory structure and does not provide a globally unique identifier. 
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A pre-existing RACF user profile could be matched with a User 
object in eDirectory that represents a different person. 


Given an appropriate installation management policy, you could 
implement a Matching policy that requires two attributes to be 
identical before matching users by CN. For example, you could use 
the RACF installation-defined data field to contain an employee 
identification number and populate a corresponding field in 
eDirectory, such as Employee ID. 
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Configuring Driver Parameters after Setup Has Been Completed 
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You can change the configuration of the driver after setup has been completed. 


To change driver parameters: 


1 In iManager, select DirXML Management > Overview. 


2 Select the driver set containing the driver, click the driver icon to see the 
driver overview, then click the driver icon again to edit driver parameters. 


3 Click DirXML > Driver Configuration. 


4 Update the parameters as desired, then click OK. 


¢ Driver Module: Select Java or Connect to Remote Loader, as 
appropriate. 


¢ Driver Object Password: Specify the driver object password used 
by the Remote Loader to authenticate itself to the DirXML server. It 
must be the same password that is specified as the Driver Object 
Password on the DirXML Remote Loader. 


+ Authentication: Common driver authentication information. 


+ 


Authentication ID: Specify the name of the administrative user 
ID you created for the driver in Step 1 on page 47. 


Authentication Context: Not used. 


Remote Loader Connection Parameters: Specify the IP 
address or DNS name and TCP port number to be used to access 
the Remote Loader service. Use the form shown in the following 
example: 


hostname=127.5.222.17 port=8090 
Driver Cache Limit: Specify 0. 


Application Password: Specify the password you specified for 
the administrative user ID in Step 3 on page 47. 


Remote Loader Password: Specify the Remote Loader 
password used by DirXML to authenticate itself to the Remote 
Loader. It must be the same password that is specified as the 
Remote Loader password on the DirXML Remote Loader. 


¢ Startup Option: Specify Auto Start for a driver used in production. 


¢ Driver Settings: RACF Driver Settings. 
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+ RACF Host Address: Specify the IP address or DNS name the 
driver should use for its Telnet interface to the RACF system. 


If the driver uses the Remote Loader, specify 127.0.0.1, which is 
the local host. 


+ RACF Telnet Port: Specify the Telnet port number the driver 
should use. This should normally be 23. 


+ RACF TSO Name: Specify the APPLID the driver should use 
on its VTAM logon command to access TSO. 


+ RACF TSO Account Number: Specify the account number 
information the driver should provide on the TSO logon screen 
for the administrative user ID. 


+ RACF TSO Procedure: Specify the TSO logon JCL procedure 
name the driver should provide on the TSO logon screen for the 
administrative user ID. 


¢ Subscriber Settings: Subscriber channel settings. 
+ Additional Handlers: Not used. 

¢ Publisher Settings: Publisher channel settings. 
+ Additional Servlets: Not used. 


+ Publisher Disabled: Specify Yes or No for whether or not the 
driver suppresses publishing RACF events. 


¢ Polling Interval: Specify the number of seconds the Publisher 
Channel should wait after processing all available events before 
issuing the next LDXSERV GETNEXT command to see if new 
events are available for processing. 


+ Heartbeat Interval: Specify the minimum number of minutes 
between publication heartbeat documents. To disable heartbeat 
document publication, set this value to zero. 
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Customizing the Policy Starter Set 


The preconfigured starter set of sample policies and filters is not intended for 
use in a production environment. Before running the driver you must modify 
the policies and filters to suit your own business rules. For detailed 
information, see Chapter 3, “Customizing the Driver,” on page 67. 


Activating the Driver 
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DirXML and DirXML drivers must be activated within 90 days of installation, 
or they will shut down. At any time during the 90 days, or afterward, you can 
activate DirXML products to a fully licensed state. 


To activate DirXML products: 
1 Purchase the appropriate licenses. 
2 Generate a Product Activation Request. 
3 Submit the Product Activation Request to Novell. 


4 Install the Product Activation Credential received from Novell. 
For detailed information about completing these steps, see Activating 


DirXML Products in the Nsure Identity Manager Administration Guide (http:/ 
/www.novell.com/documentation/lg/dirxml20). 
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Customizing the Driver 


The Novell® Nsure™ Identity Manager Driver for MVS RACF includes a 
sample starter set configuration that you can use as a starting point for your 
customization. You must customize the driver to conform to the requirements 
of your installation before running it for production work. 


Customization of the driver is accomplished by tailoring the global 
configuration values, policies, and filters. The event filters determine whether 
eDirectory™, RACF, both, or neither is the source of User and Group objects 
and their various attributes. The policies control the way that information 
flows from the source to the destination. Global configuration values are used 
by the sample policies to control their processing. 


¢ For information about customizing the global configuration values, see 
“Setting Global Configuration Values” on page 61. 


+ For information about customizing the flow of data through the filters, see 
“Controlling Which Objects and Attributes Are Synchronized” on page 
70. 


+ 


For information about customizing the policies, see “Customizing the 
Policies” on page 71. 


+ 


For details about customizing password synchronization, see the Nsure 
Identity Manager Administration Guide (http://www.novell.com/ 
documentation/Ig/dirxm120). 
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Guidelines for Customization 


The Subscriber channel issues RACF commands to process XDS commands 
received for objects and attributes represented in the MVS RACF schema. For 
details of how these attributes relate with RACF command parameters, see 
“RACF Command Parameter Mapping” on page 106. 


The Subscriber channel constructs RACF commands using the values 
provided in XDS command documents for users and groups. If the Subscriber 
channel can successfully construct and issue commands, it returns success 
status—regardless of the command results. If the values provided in the XDS 
documents do not conform to RACF requirements, the RACF commands can 
produce invalid or undesired results. 


The Publisher channel generates XDS event documents based on RACF 
commands and the parameters that are specified on them. Not all of the RACF 
processing implied by certain combinations of command parameters can be 
accurately codified in XDS event documents. 


As a policy writer, it is your responsibility to understand the limitations of 
RACF and its command semantics. You must ensure that the values you pass 
to the Subscriber channel are valid and consistent. You must account for side 
effects and possible multiple meanings of RACF command parameters and 
combinations of parameters. You must understand and provide for the 
differences and limitations in the way eDirectory and RACF attributes with 
similar functions whose values are derived from one another are implemented 
by eDirectory and RACF. 


For information about how the driver shim processes certain commands and 
events, see “Driver Processing of Attributes and Commands” on page 127. 


RACF Restrictions 
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RACF places restrictions on user and group profile names, passwords, and 
other values. You must do what is necessary in your policies and filters to 
ensure that no objects or attributes are added or migrated from eDirectory that 
do not conform to the RACF restrictions. The Subscriber channel performs no 
validity checking on the values in the XDS command documents that are 
passed to it. The RACF commands that the Subscriber channel generates to 
process the command documents validate their parameter values. Invalid 
values can cause the commands issued by the Subscriber channel to produce 
erroneous results. 
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The following sections describe some common RACF command parameter 
syntax rules. For a complete description of RACF command parameter syntax 
rules, see your Security Server RACF Command Language Reference. For 
tables relating RACF command parameters and MVS RACF schema 
attributes, see 'RACF Command Parameter Mapping” on page 106. 


User Profile Naming Restrictions 


The following is a summary of the RACF restrictions for naming user profiles. 
For complete details, see your RACF documentation. 


+ A RACF TSO user ID must be between 1 and 7 characters in length. 


+ A RACF TSO user ID must consist of characters in: A-Z, 0-9, H, $, @ 
(case-insensitive). 


+ A RACF TSO user ID must not begin with a numeric character (0—9). 


+ No user ID can be the same as the name of another user ID or the name 
of a group. 


Group Profile Naming Restrictions 


The following is a summary of the RACF restrictions for naming group 
profiles. For complete details, see your RACF documentation. 


+ A RACF group name must be between 1 and 8 characters in length. 


+ A RACF group name must consist of characters in: A-Z, 0-9, f, $, @ 
(case-insensitive). 


+ A RACF group name must not begin with a numeric character (0-9). 


+ No group name can be the same as the name of another group or the name 
of a user ID. 


Password Restrictions 


MVS requires that passwords be one to eight alphanumeric characters. MVS 
passwords are case-insensitive. An installation can define additional password 
syntax rules using the RACF SETROPTS command. 
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Customizing the Driver 


Before you use Novell Nsure Identity Manager Driver for MVS RACF, 
review the global configuration values to ensure that you have specified 
appropriate values, such as the names of your eDirectory containers for users 
and groups. For details about global configuration values, see “Setting Global 
Configuration Values” on page 61. 


Controlling Which Objects and Attributes Are Synchronized 


Filter 


Event Policies 


Entitlements 


DirXML® uses filters to control the data flow for which objects and attributes 
are synchronized, and to define the authoritative data source for these objects 
and attributes. The initial data flow configuration was specified during 
installation. For details, see “Creating and Configuring the Driver Object” on 
page 58. 


The preconfigured filter is illustrated in “Filter” on page 24. 
To change the filter: 
1 In iManager, click DirXML Management > Overview. 
2 Locate the driver in its driver set. 
3 Click the driver to open the Driver Overview Page. 


4 Click the Driver Filter icon and make the desired changes. 


You can use the Event Transformation policies to perform custom filtering of 
objects based on criteria according to your business rules. 


If you enabled role-based entitlements during installation, you can use 
entitlements to control access to RACF accounts. 


Conforming to RACF Requirements 


If your eDirectory object names and attributes do not meet RACF restrictions, 
you must use filters and policies to block or modify them to conform before 
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they are delivered to the Subscriber channel. For example, you can use the 
Subscriber Create policy to edit check CN for length and character set 
requirements. 


Customizing the Policies 


You can modify, replace, or supplement the preconfigured sample policies to 
perform whatever processing is necessary to meet your business requirements. 
For examples and guidance, you can study the sample policies distributed with 
this and other DirXML drivers. 


For details about the MVS RACF Schema, see Appendix A, “MVS RACF 
Schema and Driver Processing,” on page 89. 


For general information about customizing policies, see the Policy Builder 
and Driver Customization Guide (http://www.novell.com/documentation/lg/ 
dirxml20). 


Customizing the Driver 71 


Advanced Topics 
This topic discusses additional information that can be of interest as you 
develop your customization plan. 
+ “Using the Subscriber Channel Command Class” on page 73 
+ “Using the RACF Query Processor” on page 74 
+ “Using Java Utility Class DateConv” on page 74 
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Using the Subscriber Channel Command Class 


Besides the MVS RACF schema User and Group classes, which are mapped 
to their eDirectory counterparts, the Subscriber channel of the driver supports 
the Command class. You can use the Command class in your policies to issue 
arbitrary TSO commands. 


The Subscriber channel processes XDS add commands for class Command. 
The text value of the type="string" value element of an add-attr element is 
executed as a TSO command through the Telnet interface. 


You can use this facility to perform custom processing on the MVS system for 
eDirectory events. 


How the Driver Processes the Command Class 


+ 


You can specify as many add-attr elements in one XDS add command as 
necessary. 


Only one value element is processed for each add-attr element. 


The text value of the value element is issued as a TSO command through 
the Telnet interface by the administrative user ID using the LDXISSUE 
command. 


You can specify any TSO command, CLIST, or REXX exec as the 
command to be executed. 


NOTE: You must modify the LDXPROC logon procedure used by the 
administrative user ID to provide any DD statements required by your processing. 


The response from the command is returned in the status document from 
the driver. 


The attr-name of the add-attr element is ignored. 
Elements other than add-attr are ignored. 


XDS commands other than add are ignored. 


Command Class Example 


<add class-name="Command" event-id="1234"> 
<add-attr attr-name="MAKEUSER"> 


<value type="string">%MAKEUSER GURNEY</value> 


</add-attr> 
</add> 
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Using the RACF Query Processor 


The RACF Query Processor is called by DirXML during migration and by 
other processing. 


You can use the RACF Query Processor for your own purposes as required. 


Queries for Scope Entry 


Queries to the RACF Query Processor for a single user are processed using the 
RACF LISTUSER command for that user. Queries to the RACF Query 
Processor for a single group are processed using the RACF LISTGRP 
command for that group. 


Queries for Scope Other Than Entry 


Queries to the RACF Query Processor that are not limited to just a single base 
entry use the RACF LISTUSER * or RACF LISTGRP * command, depending 
on the class. These commands return information for all profiles of the class. 
The RACF Query Processor then returns the information requested by the 
query. 


If you use the RACF Query Processor with a scope other than entry, you 
should expect the query to take a long time—possibly many hours. 


Using Java Utility Class DateConv 


The Novell Nsure Identity Manager Driver for MVS RACF includes the Java 
utility class DateConv. DateConv is used by the starter set sample policies for 
date conversion. You can use this class for your own purposes. 


To use DateConv in your policies: 


1 Add a namespace declaration as shown in the following example taken 
from the Input Transformation policy. 


xmlns:util="http://www.novell.com/nxsl/java/ 
com.Omnibond.nds.dirxml.util.DateConv" 


2 Call the desired method as shown in the following example taken from 
the Input Transformation policy. 


<xsl:value-of select="util:racfToEdirTime(.)"/> 
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Overview 


edirToRacfDate 


The Login Expiration Time attribute of an eDirectory User object is mapped 
by the Schema Mapping policy with the RACF-revokedate attribute of a 
RACF User object. RACF represents dates in the mm/dd/yy format, while 
eDirectory uses number of seconds since the beginning of 1970. 


The Java DateConv class is provided for transforms to use in converting date 
values between these formats. 


The following sections describe the methods of DateConv. 


public static String edirToRacfDate (String seconds) 


Returns a date in the mm/dd/yy format used by the RACF ALTUSER 
command RESUME and REVOKE parameters. The input is assumed to be an 
eDirectory Time value, coded as a string. 


Parameters 
seconds - String value of number of seconds since 1970-01-01 00:00 UTC 
Returns 


String value mm/dd/yy local time 


Example 

edirToRacfDate ("1068440400") 
Returns the string 11/10/03. 

Notes 


If an exception occurs, a string of 00/00/00 is returned. This can happen if the 
input string cannot be converted to a number. 
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racfToEdirTime 


public static String racfToEdirTime (String mmddyy) 


Returns an eDirectorv Time value as a string. The input is assumed to be the 
date value in the format mm/dd/yy, specified for the RESUME or REVOKE 
parameter of aRACF ALTUSER command. 


Parameters 


mmddyy - String value representing a date in the form mm/dd/yy 


Returns 


String value of number of seconds since 1970-01-01 00:00 UTC 


Example 


racfToEdirTime ("11/10/03") 


Returns the string 1068440400. 


Notes 


If an exception occurs, a string of 0 is returned. If the input string cannot be 
parsed into three strings using a '/' as a separator, a string of 000 is returned. 


RACF interprets the two-digit year value as being in the range 1971-2070. 


eDirectory Time values appear to be limited to the integer (int) number of 
seconds since 1970-01-01 00:00 UTC. This overflows on 2038-01-18. Novell 
utilities limit Login Expiration Time to not exceed the year 2037. A RACF 
date beyond 2037 is set to 2037-12-31. 


No explicit conversion is performed between UTC and local time. The RACF 
date values are local time. The result corresponds to the default time zone of 
the default locale. 
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Operating Procedures 


This section describes operational considerations for Novell® Nsure™ 
Identity Manager Driver for MVS RACF. 


Migrating and Synchronizing Data 


DirXML® synchronizes data as it changes. If you want to synchronize all data 
immediately, you can choose from the following options: 


+ Migrate Data From eDirectory: Allows you to select containers or 
objects you want to migrate from eDirectory™ to an application. When 
you migrate an object, the DirXML engine applies all of the Matching, 
Placement, and Create policies, as well as the Subscriber filter, to the 
object. 


+ Migrate Data Into eDirectory: Allows you to define the criteria 
DirXML uses to migrate objects from an application into eDirectory. 
When you migrate an object, the DirXML engine applies all of the 
Matching, Placement, and Create policies, as well as the Publisher filter, 
to the object. Objects are migrated into eDirectory using the order you 
specify in the Class list. 


¢ Synchronize: DirXML processes all objects for classes listed in the 
Subscriber class filter. Associated objects are merged. Objects without an 
association are processed as Add events. 


To use one of these options: 
1 In iManager, select DirXML Management > Overview. 


2 Locate the driver set containing the MVS RACF driver, then double-click 
the driver icon. 


3 Click the appropriate migration button. 
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Migrating Users and Groups from RACF to eDirectory 


To migrate users and groups from RACF, you must migrate all of the groups 
first, and then migrate all of the users. This is because RACF group profiles 
do not always contain a complete list of their member users. Add group and 
modify group events never contain group members in the Publisher channel 
of the MVS RACF driver. 


Migrating Users and Groups from eDirectory to RACF 


To migrate users and groups from eDirectory, you must migrate all of the 
groups first, and then migrate all of the users. This is because the Subscriber 
channel policies process the User object Group Membership attribute, but not 
the Group Object Member attribute. 


Deleting Groups in eDirectory 


If you want to delete a group from eDirectory and ensure that the 
corresponding RACF group is not used until you can schedule the RACF 
Remove ID utility, remove each user from the Group object’s Member list 
before you delete it. 


Because the RACF DELGROUP command does not clean up references to a 
group from such places as resource access lists, and cannot be used to delete 
a universal group, the Subscriber Event policy vetoes delete commands for 
Group objects. IBM recommends that you use the RACF Remove ID utility 
(IRRRIDOO) when deleting groups. For more information, see your Security 
Server RACF Security Administrators Guide. 


Deleting Users in eDirectory 


RACF performs no cleanup actions when deleting a user. This could result in 
security exposures if a new user is created with the same name. The 
preconfigured Subscriber Event policy converts a delete command for a User 
object into a modify command that sets the Login Disabled attribute. The 
Subscriber channel processes this asa RACF ALTUSER command to revoke 
the user’s access to the system. 
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Performing Administrative Password Resets 


Administrative password resets ona RACF system result in the new password 
being marked as expired. The user must change the password immediately 
upon using it for the first time. Administrative password resets in eDirectory 
result in similar behavior if periodic password changes are required. 


The driver cannot detect that a new password is marked as expired, and RACF 
provides no mechanism to mark an existing password as being expired. 


Users should be instructed to change the password upon first usage after an 
administrative password reset even if the system does not prompt them to do 
so. 


Controlling the Change Log Started Task 


The RACF exits add information about events to an in-storage cross memory 
queue as they occur. The Change Log Started Task moves events from this 
queue to the Change Log data set, where they await processing by the driver. 


Start the Change Log Started Task during your IPL procedure before user 
processing begins. Any RACF events of interest that occur are stored in the 
cross memory queue until the Change Log Started Task has initialized. 


You can briefly stop the Change Log Started Task if necessary. Any RACF 
events of interest that occur while the Change Log Started Task is not running 
remain in the cross memory queue, and are written to the Change Log data set 
when the Change Log Started Task is restarted. 


Stop the Change Log Started Task during your system shutdown procedure 
after all user processing has ended. Any RACF events of interest that occur 
after the Change Log Started Task shuts down remain in the cross memory 
queue and are lost when the system is shut down. 


Starting the Change Log Started Task 
To start the Change Log Started Task, use the MVS START command. 
START LDXLOGRP 


If you have used a different name for the Change Log Started Task cataloged 
procedure, substitute the name that you used into the preceding command. 
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Stopping the Change Log Started Task 
To stop the Change Log Started Task, use the MVS STOP command. 
STOP LDXLOGRP 


If you have used a different name for the Change Log Started Task cataloged 
procedure, substitute the name that you used into the preceding command. 
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Troubleshooting 


This section describes how you can collect and interpret troubleshooting 
information for Novell® Nsure™ Identity Manager Driver for MVS RACF, 
and provides considerations for troubleshooting its operation. 


+ “Using DSTrace' on page 81 

e “Understanding LDX Messages” on page 82 

e “Using Novell Nsure Audit” on page 82 

+ “Using JCL and Job Logs” on page 82 

+ “Conforming to RACF Requirements and Limitations” on page 82 


e “Using the LDSXSERV STATUS Command” on page 83 


+ “Using Association Values” on page 84 


+ 


“Other Troubleshooting Tips” on page 84 


+ “Common Problems” on page 85 


+ 


“Additional Troubleshooting Information Sources” on page 88 


Using DSTrace 


You can gather extensive troubleshooting information for the driver by using 
the DSTrace utility. For each event or operation received, the driver returns an 
XML document containing a status report. If the operation fails, the status 
report contains information about the error. 


For information about gathering DirXML® trace information with DSTrace, 
see TID 10065332 at the Novell Support Web site (http://support.novell.com). 
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For additional information about using DSTrace in troubleshooting DirXML, 
see the Nsure Identity Manager Administration Guide (http:// 
www.novell.com/documentation/lg/dirxml20) 


Understanding LDX Messages 


RACF Event Subsystem components write numbered status and diagnostic 
messages prefixed with the characters “LDX.” For detailed information about 
each LDX message, see Appendix B, “Messages,” on page 135. 


Using Novell Nsure Audit 


You can use Novell Nsure Audit to control how and where DirXML messages 
are delivered. Using this service in combination with the driver log level 
setting provides you with tracking control at a very granular level and with the 
option for immediate notice when problems occur. For more information, see 
the Nsure Identity Manager Administration Guide (http://www.novell.com/ 
documentation/lg/dirxml20). 


Using JCL and Job Logs 


The JCL and Job logs, and other SYSOUT from the Change Log Started Task 
and from the TSO sessions used by the driver can be useful for 
troubleshooting. Ensure that these are retained as appropriate. 


Conforming to RACF Requirements and Limitations 


Ensure that RACF restrictions, such as length and character set of a user ID, 
are met by all commands that reach the driver shim. For more information 
about these restrictions, see 'RACF Restrictions” on page 68. 


For information about driver processing subject to other RACF limitations, 
see “Subscriber and Publisher Channel Processing” on page 22, “Guidelines 
for Customization” on page 68, and “Driver Processing of Attributes and 
Commands” on page 127. 
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Using the LDSXSERV STATUS Command 


You can use the LDXSERV STATUS command to check the status of the 
RACF Event Subsystem. 


Issuing the LDXSERV STATUS Command 


1 Log on to TSO using a user ID with a STEPLIB DD statement for the 
LDX load library. The LDXPROC logon JCL procedure includes this 
STEPLIB. 


2 Enter LDXSERV STATUS. 


Output of the LDXSERV STATUS Command 


LDXSERV STATUS command output is in XML form for the use of the 
driver, but you can use the output for yourself as well. 


<ldx> 
<source> 
<product build="20040225" instance="ldxserv" version="1.1"> 
RACF Event Subsystem Utility Command 
</product> 
<contact>Novell, Inc.</contact> 
</source> 
<output> 
<status level="success"> 
<exit name="LDXRIX02" state="active" version="0.99" build-date="20031205" 
times-called="885" events-queued="0" info="o0k"/> 
<exit name="LDXEVX01" state="active" version="0.99" build-date="20040220" 
times-called="0" events-queued="0" info="ok"/> 
<queue version="0.99" state="active" created-by="LDXRIX02" entries="0"/> 
<logger version="0.99" state="active" taskid="LDXLOGR"/> 
<logfile name="LDX.EVENTLOG" state="empty"/> 
</status> 
</output> 
</1ldx> 
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Table 6 LDXSERV STATUS Output Elements 


Element Name Content 

<exit> Information about the RACF exits 

<queue> Information about the cross memory event queue 
<logger> Information about the Change Log Started Task 
<logfile> Information about the Change Log data set 


Using Association Values 


The general format of an association value produced by Novell Nsure Identity 
Manager Driver for MVS RACF is ClassName\ObjectName. These 
association values are all uppercase. 


Examples: 


USER\ ANDREW 


USER\CLAIRE 


GROUP\ADMIN 


Other Troubleshooting Tips 


. 


+ 


Ensure that the Driver object has appropriate rights. 


Ensure that the driver parameters have the appropriate and correct values. 
For information about the driver parameters, see “Configuring Driver 
Parameters after Setup Has Been Completed” on page 64. 


Ensure that the global configuration values have the appropriate and 
correct settings. For information about setting global configuration 
values, see “Setting Global Configuration Values” on page 61. 


If the LDXSERV command does not have APF authorization, it ABENDs 
with a code of S047. 


Ensure that all JCL on all systems specifies the correct (same) Change 
Log data set. 
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Common Problems 


Invalid Password Supplied 
Problem: A trace shows the following: 


<description>Driver exception.</description> 
<exception class- 
name="com.Omnibond.system.Command.CommandSessionException 
mS 

<message>Error occured during writelLine(): 
com.Omnibond.system.Command.ScriptException: linenum=4 
cursor=0 : Invalid password supplied 

</message> 


Possible Cause: The password for the administrative user ID is not specified correctly in the 
driver parameters. 


Action: Specify the correct Application Password in the driver parameters. For details, 
see “Configuring Driver Parameters after Setup Has Been Completed” on 
page 64. 


User Is Not Authorized 
Problem: A trace shows the following: 


<description>Driver exception.</description> 
<exception class- 
name="com.Omnibond.system.Command.CommandSessionException 
"> 

<message>Error occured during writeLine(): 
com.Omnibond.system.Command.ScriptException: linenum=3 
cursor=0 : User is not authorized 

</message> 

</exception> 


Possible Cause: The administrative user ID is not specified correctly in the driver parameters. 


Action: Specify the correct Authentication ID in the driver parameters. For details, see 


“Configuring Driver Parameters after Setup Has Been Completed” on page 
64. 
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No Route to Host 
Problem: A trace shows the following: 


<description>Driver exception.</description> 

<exception class- 
name="com.Omnibond.system.Command.CommandSessionException 
"> 

<message>Error connecting: 
java.net.NoRouteToHostException: No route to host 
</message> 

</exception> 


Possible Cause: The RACF host address or Telnet port is not specified correctly in the driver 
parameters. 


Action: Specify the correct RACF host address and Telnet port in the driver 
parameters. For details, see “Configuring Driver Parameters after Setup Has 
Been Completed” on page 64. 


Account Number Has Not Been Defined for Use 
Problem: A trace shows the following: 


<description>Driver exception.</description> 
<exception class- 


name-''com.Omnibond.svstem. Command. CommandSessionException 
" 
> 


<message>Error occured during writeLine(): 
com.Omnibond.system.Command.ScriptException: linenum=6 
cursor=0 : Account Number has not been defined for use 
</message> 

</exception> 


Possible Cause: The RACF TSO account number is not specified correctly in the driver 
parameters. 


Action: Specify the correct RACF TSO account number in the driver parameters. For 
details, see “Configuring Driver Parameters after Setup Has Been Completed” 
on page 64. 
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Operation Vetoed by Object Matching Policy 


Problem: 


Possible Cause: 
Action: 
Possible Cause: 


Action: 


A trace shows the following: 

Code (-8016) Operation vetoed by object matching policy. 
Your Matching policy rejected the operation. 

Verify that your Matching policy is working as intended. 

No Matching Policy is in use. 


Ensure that a Matching policy that properly implements your installation 
management policies is provided. Upon installation, Use Default Matching 
Rules is not enabled by default. For details, see “Setting Global Configuration 
Values” on page 61. 


User Already Logged On 


Problem: 


Possible Cause: 


Action: 


A trace shows the following: 


<description>Driver exception.</description> 
<exception class- 
name="com.Omnibond.system.Command.CommandSessionException 
"> 

<message>Error occured during writelLine(): 
com.Omnibond.system.Command.ScriptException: linenum=3 
cursor=0 : User already logged on 

</message> 

</exception> 


The administrative user ID is specified in the driver parameters could not be 
logged on by the driver because it is already in use. MVS does not allow 
multiple concurrent logons for the same user ID. 


Ensure that only the driver uses the administrative user ID. 
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Additional Troubleshooting Information Sources 


For additional DirXML troubleshooting tips see the various troubleshooting 
topics in the Nsure Identity Manager Administration Guide (http:// 
www.novell.com/documentation/lg/dirxml20) 
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MVS RACF Schema and Driver 
Processing 


The Novell® Nsure™ Identity Manager Driver for MVS RACF converts 
commands and events between the eDirectory™ and RACF representations of 
their information. 


This section describes the MVS RACF schema and the driver shim processing 
relationships between MVS RACF objects and attributes and RACF 
commands and their parameters. 


This section contains the following topics: 


+ “MVS RACE Schema” on page 90 


+ 


+ 


+ 


+ 


Table 7, “Class User Attribute Descriptions,” on page 90 
Table 8, “Class User Attributes,” on page 96 

Table 9, “Class Group Attribute Descriptions,” on page 104 
Table 10, “Class Group Attributes,” on page 105 


+ “RACF Command Parameter Mapping” on page 106 


+ 


+ 


+ 


+ 


+ 


+ 


+ 


Table 11, “ADDUSER Command Mapping,” on page 107 
Table 12, “ALTUSER Command Mapping,” on page 112 
Table 13, 'ADDGROUP Command Mapping,” on page 124 
Table 14, “ALTGROUP Command Mapping,” on page 125 
Table 15, “CONNECT Command Mapping,” on page 126 
Table 16, “REMOVE Command Mapping,” on page 126 
Table 17, “PASSWORD Command Mapping,” on page 126 


+ “Driver Processing of Attributes and Commands” on page 127 
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MVS RACF Schema 


The following tables describe the schema used by the driver. 
+ Table 7, “Class User Attribute Descriptions,” on page 90 
¢ Table 8, “Class User Attributes,” on page 96 
+ Table 9, “Class Group Attribute Descriptions,” on page 104 
+ Table 10, “Class Group Attributes,” on page 105 


Table 7 Class User Attribute Descriptions 


Attribute Name Description 


DirXML-RACF-adsp Automatic Data Set Protection (ADSP) attribute for the user. 


AUDITOR attribute for the user. 
Installation-defined security categories. 


CICS operator class numbers for basic mapping support 
(BMS) messages, 


Classes for which user is allowed to define profiles. 
Installation-defined data for the user. 


Whether z/OS UNIX* DCE is to automatically log this user 


DCE principal name for the user. 
DCE cell name for the user. 


DCE universal unique identifier (UUID) for the cell user is 
defined to. 


DCE universal unique identifier (UUID) of the DCE principal 
defined in DCENAME. 


Default group for the user. 
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Attribute Name Description 


DirXML-RACF-dfp-dataappl DFP data application for the user. 


DirXML-RACF-grpacc Specifies whether group data sets protected by DATASET 
profiles defined by the user are automatically accessible to 
other users in the group. 


DirXML-RACF-kerb-encrypt-des 
DirXML-RACF-kerb-encrypt-des3 
DirXML-RACF-kerb-encrypt-desd 
DirXML-RACF-kerb-kerbname 


DIrXML-RACF-nds-uname Novell Directory Services® for OS/390 user-name. 
DirXML-RACF-netview-consname Default MCS console name identifier. 


DirXML-RACF-netview-ctl Whether a security check is performed for this NetView 
operator for span or cross-domain logon. 

DirXML-RACF-netview-domains NetView program identifiers in another NetView domain 
where this operator can start a cross-domain session. 


DirXML-RACF-netview-ic NetView initial command list string. 


DirXML-RACF-netview-msgrecvr Whether this operator receives unsolicited messages not 
routed to a specific NetView operator. 
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Attribute Name Description 


DirXML-RACF-netview-ngmfadmn Whether NetView operator has administrator authority to 
NetView Graphic Monitor Facility (NGMF). 


DirXML-RACF-netview-ngmfvspn Reserved for future use by the NetView Graphic Monitor 
Facility. 


DirXML-RACF-netview-opclass NetView scope classes for which the operator has authority. 


DirXML-RACF-omvs-assizemax The RLIMIT_AS hard limit resource value the user's 
processes receive when they are dubbed a process. 


DirXML-RACF-omvs-cputimemax The RLIMIT_CPU hard limit resource value the user's 
processes receive when they are dubbed a process. 


DirXML-RACF-omvs-fileprocmax The maximum number of files the user is allowed to have 
concurrently active or open. 


DirXML-RACF-omvs-home The user's hierarchical file system (HFS) home directory 
pathname. 


DirXML-RACF-omvs-mmapareamax The maximum amount of data space storage, in pages, that 
can be allocated by the user for HFS file memory mapping. 

DirXML-RACF-omvs-procusermax The maximum number of processes the user is allowed to 
have active at the same time. 


DirXML-RACF-omvs-program The pathname of the user's UNIX shell program. 


DirXML-RACF-omvs-threadsmax The maximum number of pthread_created threads the user 
can have concurrently active. 


DirXML-RACF-operparm-auto Whether the user's MCS console session receives 
messages which have been automated by the Message 
Processing Facility (MPF) in the sysplex. 


DirXML-RACF-operparm-cmdsys The system to which commands from the user's MCS 
console session are sent. 


DirXML-RACF-operparm-dom Which delete operator message (DOM) requests the user's 
MCS console session receives. 


DirXML-RACF-operparm-key User's name for DISPLAY CONSOLES, KEY. 
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Attribute Name Description 


DirXML-RACF-operparm-level Message levels the user's MCS console session receives. 


DirXML-RACF-operparm- Whether command responses the user's MCS console 
logcmdresp session are logged. 


DirXML-RACF-operparm-mform Message format for the user's MCS console session. 


DirXML-RACF-operparm-migid Whether a migration ID is assigned to the user's MCS 
console session. 


DirXML-RACF-operparm-monitor Which information is displayed at the user's MCS console 
session when monitoring jobs, TSO sessions, or data set 
status. 


DirXML-RACF-operparm-mscope Systems from which the user's MCS console session 
receives messages not directed to a specific console. 

DirXML-RACF-operparm-routcode Routing codes of messages the user's MCS console 
session receives. 


DirXML-RACF-operparm-storage Amount of storage in the TSO/E address space that can be 
used for message queuing to the user's MCS console 


session. 


undelivered messages. 


DirXML-RACF-proxy-binddn Distinguished name (DN) the z/OS LDAP Server uses when 
acting as a proxy. 

DirXML-RACF-proxy-bindpw Password the z/OS LDAP Server uses when acting as a 
proxy. 


DirXML-RACF-proxy-Idaphost URL of the LDAP server the z/OS LDAP Server contacts 
when acting as a proxy. 
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Attribute Name Description 


DirXML-RACF-restricted Whether global access checking is bypassed when 
resource access checking is performed for the user, and 
neither ID(*) on the access list nor the UACC allow access. 


DirXML-RACF-resumedate Future date the user will be allowed access to the system 
again. 


DirXML-RACF-revoked Whether the user is prevented from accessing the system. 


DirXML-RACF-revokedate Future date the user will be prevented from accessing the 
system. 


DirXML-RACF-when-days Days of the week when the user is allowed to log on to the 
system. 
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Attribute Name Description 


DirXML-RACF-when-time Hours of the day when the user is allowed to log on to the 
system. 


DirXML-RACF-workattr-waaccnt Account number for APPC/MVS processing. 
DirXML-RACF-workattr-waaddr1 Address line 1 for SYSOUT delivery. 
DirXML-RACF-workattr-waaddr2 Address line 2 for SYSOUT delivery. 


DirXML-RACF-workattr-waaddr3 
DirXML-RACF-workattr-waaddr4 
DirXML-RACF-workattr-wabldg 
DirXML-RACF-workattr-wadept 
DirXML-RACF-workattr-waname 
DirXML-RACF-workattr-waroom 
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Table 8 Class User Attributes 


Attribute Name Case Multivalue Read-Only Required 
Sensitive 


DirXML-RACF- false false false false 
adsp 


DirXML-RACF- false false false false false state 
auditor 

DirXML-RACF- false true false false false string 
category 

DirXML-RACF- false true false false false int 
cics-opclass 

DirXML-RACF- false false false false false string 
cics-opident 

DirXML-RACF- false false false false false int 
cics-opprty 

DirXML-RACF- false false false false false string 
cics-timeout 

DirXML-RACF- false false false false false string 
cics-xrfsoff 

DirXML-RACF- false true false false false string 
clauth 

DirXML-RACF- false false false false false string 
data 

DirXML-RACF- false false false false false state 
dce-autologin 

DirXML-RACF- false false false false false string 
dce-dcename 

DirXML-RACF- false false false false false string 
dce-homecell 

DirXML-RACF- false false false false false string 
dce-homeuuid 

DirXML-RACF- false false false false false string 
dce-uuid 

DirXML-RACF- false false false false false dn 
dfltgrp 
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Attribute Name Case Multivalue Read-Only Required Type 
Sensitive 

DirXML-RACF- false false false false false string 

dfp-dataappl 

DirXML-RACF- false false false false false string 

dfp-dataclas 

DirXML-RACF- false false false false false string 

dfp-mgmtclas 

DirXML-RACF- false false false false false string 

dfp-storclas 

DirXML-RACF- false false false false false string 

eim-Idapprof 

DirXML-RACF- false true false false false dn 

groups 

DirXML-RACF- false false false false false state 

grpacc 

DirXML-RACF- false false false false | ah 

kerb-encrypt-des 


DirXML-RACF- false false false false kalil tel 
kerb-encrypt- 

des3 

DirXML-RACF- false false false false false state 
kerb-encrypt- 

desd 

DirXML-RACF- false false false false false string 
kerb-kerbname 

DirXML-RACF- false false false false false int 
kerb-maxtktlfe 

DirXML-RACF- false false false false false string 
language-primary 

DirXML-RACF- false false false false false string 
language- 

secondary 

DirXML-RACF- false false false false false string 
Inotes-sname 
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Attribute Name Case Multivalue Naming Read-Only Required Type 
Sensitive 

DirXML-RACF- false false false false false string 

model 

DirXML-RACF- false false false false false string 

name 

DirXML-RACF- false false false false false string 

nds-uname 

DirXML-RACF- false false false false false string 

netview- 

consname 

DirXML-RACF- false false false false false string 

netview-ctl 

DirXML-RACF- false true false false false string 

netview-domains 

DirXML-RACF- false false false false false string 

netview-ic 

DirXML-RACF- false false false false false state 

netview-msgrecvr 


DirXML-RACF- false false false false false state 
netview- 

ngmfadmn 

DirXML-RACF- false false false false false string 
netview- 

ngmfvspn 

DirXML-RACF- false true false false false string 
netview-opclass 

DirXML-RACF- false false false false false int 
omvs-assizemax 

DirXML-RACF- false false false false false int 
omvs- 

cputimemax 

DirXML-RACF- false false false false false int 
omvs-fileprocmax 

DirXML-RACF- false false false false false string 
omvs-home 
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Attribute Name Case Multivalue Read-Only Required Type 
Sensitive 
DirXML-RACF- false false false false false int 
omvs- 
mmapareamax 
DirXML-RACF- false false false false false int 
omvs- 
procusermax 
DirXML-RACF- false false false false false string 
omvs-program 
DirXML-RACF- false false false false false int 
omvs-threadsmax 
DirXML-RACF- false false false false false int 
omvs-uid 


DirXML-RACF- false false false false false state 
operations 

DirXML-RACF- false false false false false string 
operparm-altgrp 

DirXML-RACF- false false false false false string 
operparm-auth 

DirXML-RACF- false false false false false state 
operparm-auto 

DirXML-RACF- false false false false false string 
operparm-cmdsvs 

DirXML-RACF- false false false false false string 
operparm-dom 

DirXML-RACF- false false false false false string 
operparm-kev 

DirXML-RACF- false false false false false string 
operparm-level 

DirXML-RACF- false false false false false string 
operparm- 

logcmdresp 

DirXML-RACF- false false false false false string 
operparm-mform 
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Attribute Name Case Multivalue Naming Read-Only Required 

Sensitive 
DirXML-RACF- false false false false false state 
operparm-migid 
DirXML-RACF- false false false false false string 
operparm-monitor 
DirXML-RACF- false true false false false string 
operparm- 
mscope 
DirXML-RACF- false false false false false string 
operparm- 
routcode 
DirXML-RACF- false false false false false int 
operparm-storage 
DirXML-RACF- false false false false false state 
operparm-ud 
DirXML-RACF- true false false false false string 
ovm-fsroot 


DirXML-RACF- true false false false false string 
ovm-home 

DirXML-RACF- true false false false false string 
ovm-program 

DirXML-RACF- false false false false false int 
ovm-uid 

DirXML-RACF- false false false false false string 
password-interval 


DirXML-RACF- false false false true false string 
password- 

passdate 

DirXML-RACF- false false false false false string 
proxy-binddn 

DirXML-RACF- false false false false false string 
proxy-bindpw 

DirXML-RACF- false false false false false string 
proxv-Idaphost 


G 
o 


100 Nsure Identity Manager Driver 1.0 for MVS RACF Implementation Guide 


aaa | Name Case Multivalue Read-Only Required Type 
Sensitive 

DirXML-RACF- false false false false false state 

restricted 

DirXML-RACF- false false false false false string 

resumedate 

DirXML-RACF- false false false false false state 

revoked 

DirXML-RACF- false false false false false string 

revokedate 

DirXML-RACF- false false false false false string 

seclabel 

DirXML-RACF- false false false false false string 

seclevel 

DirXML-RACF- false false false false false state 

special 

DirXML-RACF- false false false false false string 

tso-acctnum 

DirXML-RACF- false false false false false string 

tso-command 

DirXML-RACF- false false false false false string 

tso-dest 

DirXML-RACF- false false false false false string 

tso-holdclass 

DirXML-RACF- false false false false false string 

tso-jobclass 

DirXML-RACF- false false false false false int 

tso-maxsize 

DirXML-RACF- false false false false false string 

tso-msgclass 

DirXML-RACF- false false false false false string 

tso-proc 

DirXML-RACF- false false false false false string 

tso-seclabel 
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Attribute Name Case Multivalue Naming Read-Only Required Type 
Sensitive 

DirXML-RACF- false false false false false int 

tso-size 

DirXML-RACF- false false false false false string 

tso-sysoutclass 

DirXML-RACF- false false false false false string 

tso-unit 

DirXML-RACF- false false false false false string 

tso-userdata 

DirXML-RACF- false false false false false state 

uaudit 

DirXML-RACF- false false true true true string 

userid 

DirXML-RACF- false false false false false string 

when-days 

DirXML-RACF- false false false false false string 

when-time 

DirXML-RACF- false false false false false string 

workattr-waaccnt 

DirXML-RACF- false false false false false string 

workattr-waaddr1 

DirXML-RACF- false false false false false string 

workattr-waaddr2 

DirXML-RACF- false false false false false string 

workattr-waaddr3 

DirXML-RACF- false false false false false string 

workattr-waaddr4 

DirXML-RACF- false false false false false string 

workattr-wabldg 

DirXML-RACF- false false false false false string 

workattr-wadept 

DirXML-RACF- false false false false false string 

workattr-waname 
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[aaa | Name Case Multivalue Read-Only Required Type 
Sensitive 


DirXML-RACF- false false false false false string 
workattr-waroom 
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Table 9 Class Group Attribute Descriptions 


Attribute Name Description 


DirXML-RACF-data Installation-defined data for the group profile. 


DirXML-RACF-termuacc Whether RACF uses universal access authority for a 
terminal when checking whether a user in the group is 
authorized to access a terminal. 


DirXML-RACF-tme-roles TME roles that reference the group. 
DirXML-RACF-universal Whether this is a universal group. 
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Table 10 Class Group Attributes 


Attribute Name Case Multivalue Read-Only Required 
Sensitive 


DirXML-RACF- false false false false 
data 


DirXML-RACF- false false false false false string 
dfp-dataappl 

DirXML-RACF- false false false false false string 
dfp-dataclas 

DirXML-RACF- false false false false false string 
dfp-mgmtclas 

DirXML-RACF- false false false false false string 
dfp-storclas 

DirXML-RACF- false false true false true string 
group 

DirXML-RACF- false false false false false string 
model 

DirXML-RACF- false false false false false int 
omvs-gid 

DirXML-RACF- false false false false false int 
ovm-gid 

DirXML-RACF- false false false false false string 
owner 

DirXML-RACF- false true false true false dn 
subgroup 

DirXML-RACF- false false false false false dn 
supgroup 

DirXML-RACF- false false false false false state 
termuacc 

DirXML-RACF- false true false false false string 
tme-roles 

DirXML-RACF- false false false false false 

universal 
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RACF Command Parameter Mapping 


The following tables show how the driver relates schema attributes to RACF 
command parameters. For details about RACF command parameters, see your 
RACF documentation. 


IMPORTANT: The driver performs no validation or consistency checking of attribute 
values received in command documents. If RACF limitations are not met, RACF 
command processing can produce incomplete, inconsistent, or invalid results. 


+ Table 11, 'ADDUSER Command Mapping,” on page 107 

+ Table 12, “ALTUSER Command Mapping,” on page 112 

+ Table 13, “ADDGROUP Command Mapping,” on page 124 
+ Table 14, “ALTGROUP Command Mapping,” on page 125 

+ Table 15, “CONNECT Command Mapping,” on page 126 

+ Table 16, “REMOVE Command Mapping,” on page 126 

+ Table 17, “PASSWORD Command Mapping,” on page 126 
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Table 11 ADDUSER Command Mapping 


Parameter RACF Schema Attribute Name 


ADDCATEGORY DirXML-RACF-category 
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Parameter RACF Schema Attribute Name 


DFP DATACLAS DirXML-RACF-dfp-dataclas 
DFP MGMTCLAS DirXML-RACF-dfp-mgmtclas 


ormara 
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Parameter RACF Schema Attribute Name 


NETVIEW NGMFVSPN DirXML-RACF-netview-ngmfvspn 
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Parameter RACF Schema Attribute Name 


OPERPARM UD DirXML-RACF-operparm-ud 
OVM FSROOT DirXML-RACF-ovm-fsroot 


paeron 
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Parameter 


RACF Schema Attribute Name 


TSO SYSOUTCLASS 
TSO UNIT 

TSO USERDATA 
WHEN DAYS 

WHEN TIME 
WORKATTR WAACCNT 
WORKATTR WAADDRI 
WORKATTR WAADDR2 
WORKATTR WAADDR3 
WORKATTR WAADDR4 
WORKATTR WABLDG 
WORKATTR WADEPT 
WORKATTR WANAME 
WORKATTR WAROOM 


DirXML-RACF-tso-sysoutclass 
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Table 12 ALTUSER Command Mapping 


Parameter RACF Schema Attribute Name 


ADDCATEGORY DirXML-RACF-category 
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Parameter RACF Schema Attribute Name 


DATA DirXML-RACF-data 
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Parameter RACF Schema Attribute Name 


NODFP DirXML-RACF-dfp-dataappl 
NODFP DirXML-RACF-dfp-dataclas 


araarnscratdasons 
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Parameter RACF Schema Attribute Name 


NOKERB DirXML-RACF-kerb-maxtktlfe 


LANGUAGE NOPRIMARY 
LANGUAGE SECONDARY 
LANGUAGE NOSECONDARY 
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Parameter RACF Schema Attribute Name 


NETVIEW NODOMAINS DirXML-RACF-netview-domains 
NETVIEW IC DirXML-RACF-netview-ic 


orae 
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Parameter RACF Schema Attribute Name 


OMVS NOCPUTIMEMAX DirXML-RACF-omvs-cputimemax 


OMVS NOPROCUSERMAX 
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Parameter RACF Schema Attribute Name 


OPERPARM AUTO DirXML-RACF-operparm-auto 
OPERPARM NOAUTO DirXML-RACF-operparm-auto 


pomerom 
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Parameter RACF Schema Attribute Name 


OPERPARM UD DirXML-RACF-operparm-ud 


DirXML-RACF-operparm-monitor 
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Parameter RACF Schema Attribute Name 


NOOVM DirXML-RACF-ovm-home 


NOOVM DirXML-RACF-ovm-program 


arma nzcrampwan 
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Parameter RACF Schema Attribute Name 


TSO DEST DirXML-RACF-tso-dest 


MVS RACF Schema and Driver Processing 121 


Parameter RACF Schema Attribute Name 


NOTSO DirXML-RACF-tso-jobclass 
NOTSO DirXML-RACF-tso-maxsize 


perone 
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Parameter 


RACF Schema Attribute Name 


WORKATTR NOWADEPT 
WORKATTR WANAME 
WORKATTR NOWANAME 
WORKATTR WAROOM 
WORKATTR NOWAROOM 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 
NOWORKATTR 


DirXML-RACF-workattr-wadept 
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Table 13 ADDGROUP Command Mapping 


Parameter RACF Schema Attribute Name 


DATA DirXML-RACF-data 
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Table 14 ALTGROUP Command Mapping 


Parameter RACF Schema Attribute Name 


DATA DirXML-RACF-data 
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Parameter RACF Schema Attribute Name 


NOTERMUACC DirXML-RACF-termuacc 


TME ROLES DirXML-RACF-tme-roles 
TME ADDROLES DirXML-RACF-tme-roles 


TME DELROLES DirXML-RACF-tme-roles 
TME NOROLES DirXML-RACF-tme-roles 
NOTME DirXML-RACF-tme-roles 


Table 15 CONNECT Command Mapping 


Parameter RACF Schema Attribute Name 


GROUP DirXML-RACF-groups 


Table 16 REMOVE Command Mapping 


GROUP DirXML-RACF-groups 


Table 17 PASSWORD Command Mapping 


Parameter RACF Schema Attribute Name 


USER DirXML-RACF-userid 


INTERVAL DirXML-RACF-password-interval 
NOINTERVAL DirXML-RACF-password-interval 
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Driver Processing of Attributes and Commands 


XDS Commands involving MVS RACF schema attributes are processed by 
the Subscriber channel subject to the limitations of RACF. If operations that 
do not conform to the RACF design are specified, the results are 
unpredictable. For detailed information about the processing of RACF 
commands, see your RACF documentation. 


Some RACF command parameters and values, or combinations of parameters 
and values can produce results that cannot be directly codified in the events 
generated by the Publisher channel. Other RACF processing, such as a user 
being revoked because of an excessive number of invalid password attempts, 
does not cause an event. Changes made directly to the RACF database, such 
as those made using ICHEINTY, do not cause events. 


Changes made in eDirectory or RACF cannot always be sent round trip 
through the driver into the other and then back again unchanged because not 
all mapped attributes correspond precisely. 


Certain combinations of RACF command parameters, and other RACF 
processing, can result in an inconsistent state between the RACF database and 
the MVS RACF schema attributes stored in the auxiliary classes. 


The following sections describe the handling of certain special cases by the 
driver. 


DirXML-RACF-revoked, DirXML-RACF-revokedate, and DirXML- 
RACF-resumedate 


RACF maintains a future REVOKE date (which can be not-specified), a future 
RESUME date (which can be not-specified), and a revoked state for each user 
in the RACF database. Setting and unsetting the revoked state clears both date 
fields. If RACF revokes a user due to inactivity or due to excessive invalid 
password attempts, it clears both date fields. 


DirXML-RACF-revoked, DirXML-RACF-revokedate, and DirXML-RACF- 
resumedate are processed by the Subscriber channel using the REVOKE and 
RESUME parameters of the ALTUSER RACF command. 


The Publisher channel publishes changes to DirXML-RACF-revoked, 
DirXML-RACF-revokedate, and DirXML-RACF-resumedate when a RACF 
ALTUSER command with a REVOKE or RESUME parameter is issued. It 
also provides these attributes when requested by a query operation. Changes 
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that occur as a side effect of some action, such as the revoking of a user 
because of excessive invalid password attempts, do not generate events to be 
published. 


The following sections describe the processing of XDS modify command 
elements for these schema attributes by the Subscriber channel. 


Except as noted, XDS modify commands that contain changes for these 
attributes in combination produce unpredictable results. 


DirXML-RACF-revoked Value=true 


Assume the following modify command. 


<modify class-name="User" event-id-'27' src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-revoked"> 
<remove-all-values/> 
<add-value> 
<value>true</value> 
</add-value> 
</modify-attr> 
</modify> 


The Subscriber channel treats a remove-all-values followed by an add-value 
as a replace operation for the attribute value. 


ALTUSER (MEI) REVOKE 


RACF processes a REVOKE without a date to take effect immediately. Any 
pending REVOKE date or RESUME date is cleared. If REVOKE is already 
in effect for the user, RACF ignores the REVOKE parameter and issues a 
message. This message appears in the status document returned by the 
Subscriber channel. 
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DirXML-RACF-revoked Value=false 


Assume the following modify command. 


<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-revoked"> 
<remove-all-values/> 
<add-value> 
<value>false</value> 
</add-value> 
</modify-attr> 
</modify> 


The Subscriber channel treats a remove-all-values followed by an add-value 
as a replace operation for the attribute value. 


ALTUSER (MEI) RESUME 


RACF processes a RESUME without a date to take effect immediately. Any 
pending REVOKE date or RESUME date is cleared. If no REVOKE or 
pending REVOKE is in effect for the user, RACF ignores the RESUME 
parameter. 


DirXML-RACF-revoked Remove-All-Values 


Assume the following modify command. 


<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-revoked"> 
<remove-all-values/> 
</modify-attr> 
</modify> 


The Subscriber channel treats a remove-all-values for DirxXML-RACF- 
revoked as a RESUME. 


ALTUSER (MEI) RESUME 
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DirXML-RACF-revokedate Value=mm/dd/yy 


Assume the following modify command. 


<modify class-name="User" event-id-'27' src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-revokedate"> 
<remove-all-values/> 
<add-value> 
<value>08/13/18</value> 
</add-value> 
</modify-attr> 
</modify> 


The Subscriber channel treats a remove-all-values followed by an add-value 
as a replace operation for the attribute value. 


ALTUSER (MEI) REVOKE (08/13/18) 


RACF establishes a pending REVOKE for the user that will take effect on 
August 13, 2018. If REVOKE is already in effect for the user, RACF ignores 
the REVOKE parameter and issues a message. This message appears in the 
status document returned by the Subscriber channel. 


DirXML-RACF-revokedate Remove-All-Values 


Assume the following modify command. 


<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-revokedate"> 
<remove-all-values/> 
</modify-attr> 
</modify> 


There is no RACF command to explicitly clear the RACF REVOKE date. The 
Subscriber channel does not process remove-all-values for DirxXML-RACF- 
revokedate. 
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DirXML-RACF-resumedate Value=mm/dd/yy 


Assume the following modify command. 


<modify class-name-'User' event-id="27" src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-resumedate"> 
<remove-all-values/> 
<add-value> 
<value>09/11/25</value> 
</add-value> 
</modify-attr> 
</modify> 


The Subscriber channel treats a remove-all-values followed by an add-value 
as a replace operation for the attribute value. 


ALTUSER (MEI) RESUME (09/11/25) 


RACF establishes a pending RESUME for the user that will take effect on 
September 11, 2025. Ifno REVOKE or pending REVOKE is in effect for the 
user, RACF ignores the RESUME parameter. 


DirXML-RACF-resumedate Remove-All-Values 


Assume the following modify command. 


<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> 
<association>USER/MEI</association> 
<modify-attr attr-name="DirXML-RACF-resumedate"> 
<remove-all-values/> 
</modify-attr> 
</modify> 


There is no RACF command to explicitly clear the RACF RESUME date. The 
Subscriber channel does not process remove-all-values for DIrXML- 
DirXML-RACF-resumedate. 
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Modify Commands for Combinations of DirXML-RACF-revoked, DirXML-RACF- 
revokedate, and DirXML-RACF-resume 


The Subscriber channel processes modify commands for combinations of 
DirXML-RACF-revoked, DirXML-RACF-revokedate, and DirX ML-RACF- 
resume the same way it processes these attributes individually, as described in 
the preceding sections. 


The Subscriber channel constructs RACF commands using the values 
provided in the XDS documents that it receives. It is important to note that 
some combinations are not meaningful. 


Password Synchronization 


If you omit the PASSWORD parameter or specify a PASSWORD parameter 
with no value on a RACF ADDUSER command, RACF sets the default 
password the same as the name of the user’s default group. If you specify a 
PASSWORD parameter with no value on a RACF ALTUSER command, 
RACF sets the password the same as the name of the user’s default group. The 
driver publishes a password with the value of the default group in these cases. 


If you enter an ALTUSER command for a user with a DFLTGRP parameter 

and a PASSWORD parameter with no value, RACF sets the password value 

to the name of the previous default group. It is not possible to determine the 

name of the previous default group. The driver does not publish a password in 
this case. 
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ADDUSER and ALTUSER: NOPASSWORD and OIDCARD/ 
NOOIDCARD Parameters 


User IDs with NOPASSWORD and NOOIDCARD are known to RACF as 
protected user IDs. Protected user IDs cannot access the system by any means 
that requires a password and cannot be revoked by excessive invalid password 
attempts. Protected user IDs are used for started tasks, production batch 
processing, and other similar purposes. Protected user IDs are not intended for 
end users or other systems. 


The Publisher channel does not publish events for protected user IDs. The 
Subscriber channel rejects commands for protected user IDs. 


If you specify the OIDCARD parameter on an ADDUSER or ALTUSER 
RACF command, the system prompts you to enter the operator identification 
card at the terminal reader. No other method is provided for entering the 
OIDCARD data. NOOIDCARD is the default for users when they are created. 


No MVS RACF schema attribute is provided for the NOPASSWORD, 
OIDCARD, and NOOIDCARD parameters of the ADDUSER and ALTUSER 
RACF commands 


For more information about protected user IDs and operator identification 
cards, see your RACF documentation. 
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Example ADDUSER NOPASSWORD Processing 


The driver does not publish events for protected user IDs. 


Command 


ADDUSER (JES2) NOPASSWORD 


Result Document 


No event is published. 


Example ALTUSER NOPASSWORD Processing 


If an existing user is altered to become protected, the driver removes its 
association. 


Command 


ALTUSER (PROC) NOPASSWORD 


Result Document 


<remove-association>USER\PROC</remove-association> 


Example OIDCARD Parameter Processing 


If you specify the OIDCARD or NOOIDCARD parameter on an ADDUSER 
or ALTUSER command, the Publisher channel does not represent the 
parameter in the event document. 


Command 


ADDUSER (KIRSTEN) NAME ('KIRSTEN WAGNER') OIDCARD 


Result Document 


<add class-name-'User' event-id="2764" src-dn="\KIRSTEN"> 
<association>USER\KIRSTEN</association> 
<add-attr attr-name="RACF-userid"> 
<value type="string">KIRSTEN</value> 
</add-attr> 
<add-attr attr-name="RACF-name"> 
<value type="string">KIRSTEN WAGNER</value> 
</add-attr> 
</add> 
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Messages 


The Novell® Nsure™ Identity Manager Driver for MVS RACF writes 
messages recording key processing occurrences, diagnostic information, and 
general statistical information. These can be useful to you for monitoring 
operation and troubleshooting problems. 


+ 'LDXO Messages” on page 135 
e “LDXL Messages” on page 138 
+ “LDXU Messages” on page 141 


LDXO Messages 


LDX0001E There are old events on the LDX queue. Ensure that LDXLOGRP is started. 


Explanation: 


Possible Cause: 


Action: 


The cross memory queue access routine in a RACF exit found events in the 
cross memory queue that have been unprocessed for at least fifteen minutes. 
During normal operation, the Change Log Started Task processes events from 
the queue immediately. 


Message Destination: WTO. 
The Change Log Started task is not running. 
Ensure that the Change Log Started Task is running. 


LDX0002I Unexpected RC xxxxxxxx during token processing routine. 


Explanation: 


Possible Cause: 


An unexpected return code was received from MVS Name/Token Services by 
a RACF Event Subsystem component. 


Message Destination: WTO. 


Internal system error. 


Messages 135 


Action: Contact software support. Be ready to provide job logs and the console log 
with the exact contents of the message received. 


LDX0103E Unable to parse command line. 


Explanation: The LDXSERV command contained invalid operands, and LDXSERV was 
unable to prompt for correct information. 


Message Destination: SYSTSPRT. 
Action: Correct the syntax of the LDXSERV command and reissue it. 


If the command was issued by the driver shim, contact software support. Be 
ready to provide driver logs and logs for the Telnet session showing the faulty 
command. 


LDX0104E EventID required for MARKDONE function. 


Explanation: AnLDXSERVMARKDONE command was missing the required event token 
operand. 


Message Destination: SYSTSPRT. 
Possible Cause: Internal error in driver shim. 


Action: If the command was issued by the driver shim, contact software support. Be 
ready to provide driver logs and logs for the Telnet session for the Telnet 
session showing the faulty command. 


LDX0105E Internal error: description 


Explanation: An unexpected error occurred in the LDXSERV command. The message 
contains a description of the problem. 


Message Destination: SYSTSPRT. 
Possible Cause: Internal error. 


Action: Contact software support. Be ready to provide driver logs and logs for the 
Telnet session. 


LDX0106E Unable to open the log file. 
Explanation: _LDXSERV was unable to open the Change Log data set. 
Message Destination: SYSTSPRT. 
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Possible Cause: 


Action: 


The user ID running the LDXSERV command does not have access to the 
Change Log data set. 


Check the TSO session log and message files for additional messages 
concerning the failure. 


If you are unable to determine and correct the cause of the error, contact 
software support. Be ready to provide driver logs and logs for the Telnet 
session. 


LDX0107E No preallocated log file and no valid environment. 


Explanation: 


Action: 


The LDXSERV command was unable to find the Change Log data set because 
there was no LOGFILE DD statement and there was no valid LDX 
environment. The LDX environment is created when either of the RACF exits 
is invoked for the first time after an IPL or when the Change Log Started Task 
first starts. 


Message Destination: SYSTSPRT. 


Ensure that you are logged on to a system where the RACF Event Subsystem 
is installed and that the RACF exits have been properly installed and are 
active. 


If you are unable to determine and correct the cause of the error, contact 
software support. Be ready to provide driver logs and logs for the Telnet 
session. 


LDX0108E No preallocated log file and logger is not active. 


Explanation: 


Action: 


The LDXSERV command was unable to find the Change Log data set because 
there was no LOGFILE DD statement and the Change Log Started Task was 
not active. 


Message Destination: SYSTSPRT. 


If you are unable to determine and correct the cause of the error, contact 
software support. Be ready to provide driver logs and logs for the Telnet 
session. 


LDX0109E Dynamic allocation failed for log file dsname, s99rc=rc, s99error=err. 


Explanation: 


The LDXSERV command was unable to dynamically allocate the Change Log 
data set. The dynamic allocation return code and reason codes are given in the 
message by rc and err respectively. 


Dynamic allocation return codes and reason codes are documented in the IBM 


Messages 137 


publication MVS Programming: Authorized Assembler Services Guide. 
Message Destination: SYSTSPRT. 


Action: If you are unable to determine and correct the cause of the error, contact 
software support. Be ready to provide driver logs and logs for the Telnet 
session. 


LDXL Messages 


LDXL000 LOGGING STARTED AT hh:mm:ss ON mm/dd/yyyy 
Explanation: The Change Log Started Task has initialized. 
Message Destination: WTO. 


Action: Informational only. No action is required. 


LDXL001 MESSAGE LOG DISABLED, SYSPRINT DD MISSING 


Explanation: During initialization, the Change Log Started Task was unable to open the 
SYSPRINT DD statement. 


The Change Log Started Task continues processing, but no messages are 
written to SYSPRINT. 


Message Destination: WTO. 


Possible Cause: The SYSPRINT DD statement is missing from the JCL for the Change Log 
Started Task. 


Action: Ensure that a SYSPRINT DD statement is present in the JCL and that it 
defines a file that the Change Log Started Task can write to. 


LDXL002 EXECUTE STATEMENT PARAMETERS: parm-values 


Explanation: During initialization, the Change Log Started Task found the listed parameters 
present on the EXEC statement PARM parameter. 


Message Destination: SYSPRINT. 


Action: Informational only. No action is required. 


LDXL003 START COMMAND PARAMETERS: parameters 


Explanation: During initialization, the Change Log Started Task found the listed parameters 
present on the START command. 
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Action: 


Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL004 STOP COMMAND RECEIVED. 


Explanation: 


Action: 


An operator entered a STOP command for the Change Log Started Task. The 
Change Log Started Task ends. 


Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL005 MODIFY COMMAND PARAMETERS: parameters 


Explanation: 


Action: 


An operator entered a MODIFY command for the Change Log Started Task 
with the listed parameters. 


Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL006 UNRECOGNIZED CIBVERB TYPE: X'hh', COMMAND IGNORED 


Explanation: 


Possible Cause: 


Action: 


During processing, the Change Log Started Task received a command input 
buffer (CIB) with a verb other than STOP or MODIFY. Processing continues. 


Message Destination: SYSPRINT. 
Internal system error. 


Contact software support. Be ready to provide the console log and the 
SYSPRINT data set with the exact contents of the message received. 


LDXL007 OPERATOR CANCEL DETECTED, ATTEMPTING NORMAL SHUTDOWN 


Explanation: 


Action: 


An operator has issued a CANCEL command without the DUMP parameter 
for the Change Log Started Task. The Change Log Started Task attempts a 
clean shutdown. 


Message Destination: SYSPRINT. 


Wait for the Change Log Started Task to end. If the Change Log Started Task 
does not end within a reasonable amount of time, issue another CANCEL 
command, specifying the DUMP parameter. If the cause of the failure to end 
normally is not evident, contact software support. Be ready to provide the 
contents of the system dump, job and console logs, and SYSPRINT data set. 


NOTE: Use the STOP command for normal shutdown of the Change Log Started Task. 
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LDXL008 EVENT TRACING ENABLED. 


Explanation: 


Action: 


An operator has issued a MODIFY command for TRACE ON to the Change 
Log Started Task. 


Event tracing is turned on. 
Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL009 EVENT TRACING DISABLED. 


Explanation: 


Action: 


An operator has issued a MODIFY command for TRACE OFF to the Change 
Log Started Task. 


Event tracing is turned off. 
Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL010 MODIFY COMMAND IGNORED, INVALID OR MISSING PARAMETERS. 


Explanation: 


Action: 


An operator has issued a MODIFY command to the Change Log Started Task, 
but the command parameters are not recognized. 


The MODIFY command is ignored. 
Message Destination: SYSPRINT. 


Reissue the MODIFY command with the intended parameters. 


LDXL011 EVENT RC(rc) DATA: event_data 


Explanation: 


Action: 


Event tracing is turned on and an event has been processed. 


The return code from ProcessEvent is rc. The content of the event record is 
event_data. 


Processing continues. 
Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL012 TERMINATING BECAUSE LOGGING ALREADY ACTIVE. 


Explanation: 


Upon startup, the Change Log Started Task has detected that another Change 
Log Started Task is already running. 
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Possible Cause: 


Action: 


This instance of the Change Log Started Task terminates. 


To detect this condition, the Change Log Started Task enqueues exclusively 
on qname ''Idxlogr' rname “#LDXENVIRONTOKEN” when it initializes. If 
the enq macro fails, this message is issued. The Change Log Started Task 
dequeues this resource upon shutdown. 


Message Destination: SYSPRINT. 


A START command for the Change Log Started Task has been issued more 
than once. 


Do not start more than one instance of the Change Log Started Task at a time. 


LDXL013 LOGGING TO DATASET: dsname 


Explanation: 


Action: 


The name of the Change Log data set in use is dsname. 
Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXL999 LOGGING ENDED AT hh:mm:ss ON mm/dd/yyyy 


Explanation: 


Possible Cause: 


Action: 


The Change Log Started Task is ending. 
Message Destination: SYSPRINT. 
An operator entered a STOP command for the Change Log Started Task. 


Informational only. No action is required. 


LDXU Messages 


LDXUO000I Log File Utility started on mm/dd/vvvv at hh:mm:ss. 


Explanation: 


Action: 


The Log File utility has initialized. 
Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXU001W Message log disabled, SYSPRINT DD missing. 


Explanation: 


During initialization, the Log File utility was unable to open the SYSPRINT 
DD statement. The Log File utility continues processing, but no messages are 
written to SYSPRINT. 
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Message Destination: WTO. 
Possible Cause: The SYSPRINT DD statement is missing from the JCL for the Log File utility. 


Action: Ensure that a SYSPRINT DD statement is present in the JCL and that it 
defines a file that the Log File utility can write to. 


LDXU002I Execute statement parameters: parm-values 


Explanation: During initialization, the Log File utility found the listed parameters present 
on the EXEC statement PARM parameter. 


Message Destination: SYSPRINT. 


Action: Informational only. No action is required. 


LDXU003E Open failed for log file. 
Explanation: The Log File utility could not open the Change Log data set. 
Message Destination: SYSPRINT. 
Possible Cause: The LOGFILE DD statement is missing from the JCL for the Log File utility. 


Action: Ensure that a LOGFILE DD statement is present in the JCL and that it defines 
a data set that the Log File utility can write to. 


LDXU004I Log file blocksize: biksize 


Explanation: The Log File utility is initializing the Change Log data set with a blocksize of 
blksize 


Message Destination: SYSPRINT. 


Action: Informational only. No action is required. 


LDXU005I Log file blocks written: block-count 


Explanation: While initializing the Change Log data set, the Log File utility has written 
block-count blocks of empty records. 


Message Destination: SYSPRINT. 


Action: Informational only. No action is required. 


LDXUOO6E Open failed for LOADIN file. 
Explanation: The Log File utility Load function could not open the LOADIN ddname. 
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Message Destination: SYSPRINT. 
Possible Cause: The LOADIN DD statement is missing from the JCL for the Log File utility. 


Action: Ensure that a LOADIN DD statement is present in the JCL and that it defines 
a file that the Log File utility can read. 


LDXU007E Unrecognized or missing execute statement parameter. 


Explanation: The Log File utility found an unknown parameter in the EXEC statement 
PARM parameter. 


Processing ends. 
Message Destination: SYSPRINT. 


Possible Cause: The EXEC statement PARM value is missing or does not contain one of the 
following functions: 


e INITIALIZE 
e DUMP 
e LOAD 
Action: Correct the PARM value and resubmit the job. 


LDXU008I Log file events loaded: event-count 


Explanation: The Log File utility Load function has successfully loaded event-count events 
into the Change Log data set from the input file. 


Message Destination: SYSPRINT. 


Action: Informational only. No action is required. 


LDXUOO9E Add event failed, error code code 


Explanation: The Log File utility Load function was unable to add an event record to the 
Change Log data set. The LDXLADD LDXIOERR code was code. 


Message Destination: SYSPRINT. 
Possible Cause: Internal system error. 


Action: Contact software support. Be ready to provide the job log and SYSPRINT data 
set with the exact contents of the message received. 
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LDXU010E Read header failed, error code code 


Explanation: 


Possible Cause: 


Action: 


The Log File utility Dump function was unable to read the header record of 
the Change Log data set. The LDXLGETE LDXIOERR code was code. 


Message Destination: SYSPRINT. 
Internal system error. 


Contact software support. Be ready to provide the job log and SYSPRINT data 
set with the exact contents of the message received. 


LDXUO11E Read event failed, error code code 


Explanation: 


Possible Cause: 


Action: 


The Log File utility Dump function was unable to read an event record from 
the Change Log data set. The LDXLGETE LDXIOERR code was code. 


Message Destination: SYSPRINT. 
Internal system error. 


Contact software support. Be ready to provide the job log and SYSPRINT data 
set with the exact contents of the message received. 


LDXU9901 Open BDAM log succeeded. 


Explanation: 


Action: 


The Log File utility has initialized the Change Log data set with empty records 
and has successfully opened it to complete the initialization by updating the 
header information. 


Message Destination: SYSPRINT. 


Informational only. No action is required. 


LDXU991E Open BDAM log failed. 


Explanation: 


Possible Cause: 


Action: 


The Log File utilitv has initialized the Change Log data set with emptv 
records, but could not reopen it to complete the initialization bv updating the 
header information. 


Message Destination: SV SPRINT. 
Internal svstem error. 


Contact software support. Be readv to provide job logs and the console log 
with the exact contents of the messages received. 
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LDXU9991 Log File Utility ended on mm/dd/yyyy at hh:mm:ss 
Explanation: The Log File utility has completed processing. 
Message Destination: SYSPRINT. 


Action: Informational only. No action is required. 


Messages 145 


146 Nsure Identity Manager Driver 1.0 for MVS RACF Implementation Guide 


Index 


A 


ABEND S047 84 
Account Number Has Not Been Defined for Use 86 
Action on Applying RACF Account Entitlement 61 
Action on Removing RACF Account Entitlement 61 
activating the driver 66 
add processing 28 
Additional Handlers 65 
Additional Servlets 65 
ADDUSER command 47, 132 
administrative user ID 87 

changing password 47 

creating 47 

invalid password 85 

not authorized 85 

specifving to driver 58, 64 
Administrator 58 
Administrator Password 58 
adminstrative password resets 79 
ALTUSER command 33, 34, 47, 127, 132 
APF authorization 

ABEND S047 84 

LDXSERV 46 

load library 43 
Application Password 64, 85 
APPLID 58, 65 
arbitrary TSO commands, issuing 73 
association values 84 
attributes in filter 24 
Audit, Novell Nsure 82 
Authentication Context 64 
Authentication ID 64, 85 
auxiliary classes 18 

installing 57 


B 
bibliography 10 


c 


Change Log data set 16, 45, 84 
allocating and initializing 44 
Change Log Started Task 16 
controlling 79 
setting up 45 
starting 79 
stopping 80 
changing adminstrative user ID password 47 
classes in filter 24 
CLPA 50 
CN 28 
Code (-8016) 87 
Command class 73 
command parameter mapping 106 
Command policy 
Publisher 27, 34 
Subscriber 25, 33 
common problems 85 
component overview 15 
components 14 
configuration 19 
Configure Data Flow 59 
configuring 
dataflow 59 
Driver object 58 
driver parameters after setup 64 
global configuration values 61 
password synchronization 61, 62 
CONNECT command parameters 30 
connect profile 19, 20 
Connected System or Driver Name 62 
CONSOLxx 49 
controlling 
Change Log Started Task 79 
synchronization 70 
Create policy 
Publisher 27, 28 
Subscriber 25, 70 


Index 147 


cross memory queue 16, 79 
custom processing 73 
customizing 70 

guidelines 68 

starter set policies 67 


data flow 24, 59, 70 
DateConv 74 
Default Group 59, 62 
default group as password 132 
Default TSO Acctnum 62 
Default TSO Maxsize 62 
Default TSO Procedure 62 
Default TSO Size 62 
delete processing 31 
deleting RACF groups 31, 78 
deleting RACF users 31, 78 
DELGROUP command 31 
DELUSER command 31 
diagram 15 
differences 19 
DirXML Accepts Passwords from RACF 61 
dirxml_jremote.tar 54 
DirXML-RACF-group 28 
DirXML-RACF-groups 30 
DirXML-RACF-password-interval 26, 27, 29 
DirXML-RACF-resume 132 
DirXML-RACF-resumedate 127, 131 
DirXML-RACF-revoked 28, 127, 128, 129, 132 
DirXML-RACF-revokedate 26, 27, 29, 127, 130, 
132 
DirXML-RACF-userid 28 
documentation 
additional 10 
updates 10 
Driver Cache Limit 64 
Driver Module 64 
Driver Name 58 
Driver object 
creating and configuring 58 
defining security equivalences 60 
Driver Object Password 64 
Driver object rights 84 
driver parameters 
changing 64 
Driver Password 60 


driver shim 14 
configuring 57, 64 
installing 51 
installing on eDirectory server 56 
installing on MVS 52, 55 
processing 127 

DSTrace 81 


edirToRacfDate 75 
e-mail notification 26, 27, 62 
Enable Role-Based Entitlements 
58 
entitlement 25, 58, 61 
Event policv 
Publisher 27 
Subscriber 20, 25, 31, 32 
EVENTID, LDXSERV 17 


F 
filter 24 


G 


GenerateKeyPair 34 
GETNEXT, LDXSERV 17 
global configuration values 61, 70 
Group Membership 30 
group profile 19 
naming restrictions 69 
groups 
deleting 78 
Groups Container 59, 62 


H 
Heartbeat Interval 59, 65 


ICHRIX02 16, 49 

IEAAPFxx 43 

IEC0311 D37 44 

IKJTSOXxx 46 

Import a Driver Configuration 58 

Input policy 20, 27, 28, 29, 30, 31, 34, 35, 74 
Install Driver As Remote/Local 59 

installation overview 39 


148 Nsure Identity Manager Driver 1.0 for MVS RACF Implementation Guide 


installing 37 
auxiliary classes 57 
driver shim 51 
driver shim on eDirectory server 56 
driver shim on MVS 55 


driver shim on MVS using the Java Remote 


Loader 52 
Java 53 
Java Remote Loader 54 
RACF Event Subsystem 41 
RACF exits 49 
introduction 13 
Invalid Password Supplied 85 
IPL 43, 50 
IPL procedure 79 
IRREVX01 49 
IRRRIDOO 31, 78 
issuing arbitrary TSO commands 73 


J 


Java 
installing on MVS 53 
Java Remote Loader 
See Remote Loader 
JCL log 82 
Job log 82 


L 


LDXO messages 135 
LDXEVXO1 16, 49 
LDXISSUE 17, 73 
LDXL messages 138 
LDXLOAD.XMT 42 
LDXLOGRP 45 
LDXPROC 46 
LDXRIX02 49 
LDXSAMP.XMT 42 
LDXSERV 17 

authorizing 46 

using LDXSERV STATUS 83 
LDXU messages 141 
LDXUTIL 44 
library setup 42 
limitations 

RACF 22, 68, 127 
LISTGROUP command 74 
LISTUSER command 74 


load library 42, 44, 45, 46 
APF authorizing 43 

log 82 

Log File utility 44 

LOG, LDXSERV 17 

Login Disabled 28, 31 

Login Expiration Time 29 

LOGINIT 44 

logon procedure 46, 58, 65 
default 62 

loopback 17 


mapping 

See Schema Mapping policy 
MARKDONE, LDXSERV 17 
Matching policy 

enabling 59, 62 

operation vetoed 87 

Publisher 27 

Subscriber 25 
messages 82, 135 

LDXO 135 

LDXL 138 

LDXU 141 
migrating data 77 
migrating from eDirectory to RACF 78 
migrating from RACF to eDirectory 78 
modify processing 28 
modifyPassword API 34 
move processing 32 
MVS RACF schema 18, 90 
MVS START command 79 
MVS STOP command 80 


NDS password 34, 61 

No Route to Host 86 

NOLOG, LDXSERV 17 
NOPASSWORD NOOIDCARD 133 


Notify the User of Password Synchronization 


Failure via E-mail 62 
Novell Nsure Audit 82 


o 


old-password element 34 


Index 149 


operating procedures 77 
Operation Vetoed by Object Matching Policy 87 
Output policy 20, 26, 29, 30 
overview 13 
diagram 15 


P 


PARMLIB command 46 
PASSWORD 132 
password 
adminstrative reset 79 
RACF restrictions 69 
PASSWORD command 47 
Password Expiration Interval 29 
Password Synchronization 33 
password synchronization 25, 27, 132 
configuring 61, 62 
Placement policy 
Publisher 27 
Subscriber 25 
policy 
starter set 23 
starter set summary 23 
Polling Interval 59, 65 
preconfigured sample policies 23 
product activation 66 
profile, RACF 19 
PROGxx 43, 49 
protected user IDs 133 
Publish Passwords to Distribution Password 61 
Publish Passwords to NDS Password 61 
Publisher channel 18 
preconfigured sample policies 27 
processing 22 
Publisher Disabled 65 


Q 


query processor 74 


RACF Accepts Passwords from DirXML Data Store 


61 
RACF command parameter mapping 106 
RACF Event Subsystem 15 
installing 41 
testing 48, 50 


RACF exits 16 
installing 49 
RACF Host Address 58, 65, 86 
RACF limitations 22, 68, 127 
RACF query processor 74 
RACF Remove ID utility 31, 78 
RACF restrictions 68 
RACF Telnet Port 58, 65, 86 
RACF TSO Account Number 58, 65, 86 
RACF TSO Name 58, 65 
RACF TSO Procedure 58, 65 
racf.sch file 57 
racfAccount entitlement 25 
racfshim.tar 55 
racfToEdirTime 76 
RACINIT 16 
RACROUTE 16 
Remote Host Name and Port 60 
Remote Loader 37, 51, 52, 59 
installing 54 
Remote Loader Connection Parameters 64 
Remote Loader Password 64 
Remote Password 60 
REMOVE command parameters 30 
rename processing 32 
Require Password Policv Validation Before 
Publishing Passwords 61 
requirements 
knowledge and skills 10 
planning 38 
rights to install and administer 38 
software prerequisites 38 
Reset User’s External System Password to the 
DirXML Password on Failure 61 
restrictions 
RACF 68 
RESUME 127 
REVOKE 127 
rights required 38 
RIXOA 49 
RIXOB 50 
router 50 


S 


sample policies 23 
samples library 42 
schema 


150 Nsure Identity Manager Driver 1.0 for MVS RACF Implementation Guide 


See MVS RACF schema 
Schema Mapping policy 23, 28, 29, 30, 75 
Security Equivalences 
Driver object 60 
SET PROG command 43, 49 
setting up the driver 57 
shared DASD 44 
SMP/E 49 
starter set policies 14, 23 
starting the Change Log Started Task 79 
Startup Option 64 
STATUS, LDXSERV 17 
stopping the Change Log Started Task 80 
Subscriber channel 18 
Command class 73 
preconfigured sample policies 25 
processing 22 
Surname 28 
synchronizing data 77 
SYS1.LPALIB 49 
SYS1.PARMLIB 43, 46, 49 
SYS1.PROCLIB 45 
SYSOUT 82 


T 


Telnet 37, 51 
port 65 
testing the RACF Event Subsystem 48, 50 
troubleshooting 81 
TSO logon procedure 46 


U 


universal group 19, 31, 78 
Universal Password 35 
Use Default Matching Rules 87 
59, 62 
User Already Logged On 87 
User Is Not Authorized 85 
user profile 19 
naming restrictions 69 
users 
deleting 78 
Users Container 59, 62 
using RACF query processor 74 


vV 
VTAM APPLID 58, 65 


Index 151 


152 Nsure Identity Manager Driver 1.0 for MVS RACF Implementation Guide 


